Flood  of  fed  telecom  deals  coming 

AT&T,  Verizon  and  other  carriers  are  salivating  over  the 
billions  of  dollars  in  deals  expected  to  be  awarded  in  coming 
months  under  the  federal  Networx  program.  Page  11. 


VoiceCori 


Realizing  unified  communications'  benefits 

Early  adopters  share  their  experiences  with  presence 
and  other  UC  technologies  at  last  week’s  VoiceCon 
Orlando  2008  conference.  Page  12. 


NETWORKWOHD 


Novell  picking  its 
battles 


The  leader  in  network  knowledge  ■  www.networkworld.com 
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Novell  wants  to  shed 
historical  compar¬ 
isons  against  indus¬ 
try  titans  and  develop 
new  core  infrastruc¬ 
ture  services. 

Page  18. 


Processor  wars 
heating  up 

As  AMD  ships  its 
long  awaited  four- 
core  Barcelona  chip, 
Intel  unveils  work  on 


Outsourcing 
security 
presents 
pros  &  cons 


a  six-core  processor 
due  by  year-end. 

Page  24. 
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Changes  in  attitudes 

Carrier  moves  on 
open  access,  P2P 
indicative  of  shift  in 
way  they  handle  new 
technology. 

Page  25. 


Who  owns  storage 
these  days? 

The  growing  flood  of 
data  that  companies 
create  and  consume 
is  changing  who  is 
responsible  for  stor¬ 
age  within  IT  depart¬ 
ments.  Page  32. 


BY  ELLEN  MESSMER 

When  it  comes  to  outsourcing 
security  functions,  skepticism 
still  rules  the  day.  The  idea  of 
trusting  an  outside  firm  to  main¬ 
tain  gear,  monitor  for  attacks,  per¬ 
form  scans,  collect  logs  or  up¬ 
date  security  software  is  foreign 
to  many  users. 

But  to  hear  advocates  tell  it, 
outsourcing  security  frees  up  in- 
house  IT  staff  from  mundane 
tasks  to  deal  with  more  strategic 
matters,  say  nothing  of  reducing 
the  need  for  more  head  count. 

The  naysayers  worry  that  out¬ 
sourcing  means  losing  sight  of 
security  risks  because  outsiders 
will  follow  a  contract  mechani¬ 
cally,  without  thinking  through 
all  of  the  implications.  Whether 
outsourcing  is  cost-effective  is 
part  of  the  debate,  too,  but  the 
central  question  of  control  stirs 
the  greater  emotions. 

Those  bullish  on  security 
outsourcing  say  it’s  a  way  to 
move  their  in-house  security 
specialists,  already  in  short 
supply,  into  more  strategic  jobs 
while  making  sure  everyday 
tasks  get  done. 

“We  either  have  to  bring  in 
more  internal  IT  people  or  get 
See  Outsourcing,  page  28 
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CLEAR  CHOICE  TEST 


ACCESS 


Notjust  SWITCHES 
packet  “i — ‘ — 


CLEAR  CHOICE 


anymore 

New  generation 
of  powerful 
switches  boast 
advanced 
features  such 
as  multicast, 
802.  IX  support 
and  DoS  storm 


Cisco’s  Catalyst  3750E  offers 
the  most  extensive  feature 
set  of  the  seven  switches 
tested. 
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HP’s  ProCurve  3500yl 
provides  comparable 
features  at 
half  the  price. 


PAGE  34. 


Extreme’s  Summit  X450 
scores  high  in  throughput 
and  latency  tests. 


■  '\s 


Go  online  to  hear  David 
Newman  discuss  the 
results  with  testing  editor 
Christine  Burns. 
www.nwdocfmder.com/4148 
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In  a  consolidated  IT  world,  you  need  servers 
that  run  on  legs  of  steel.  So  we  gave  Windows 
Server  2008  innovations,  such  as  Failover 
Clustering  and  a  Server  Core  installation 
option,  that  help  isolate,  resolve,  and  evade 
problems  to  deliver  superhuman  reliability. 
It's  the  true  power  of  the  server  unleashed. 

Meet  the  new  Windows  Server  2008 

at  serverunleashed.com 


NetApp 


Data.  It’s  at  the  very  heart  of  your  business.  Your  data  holds  your  best  ideas,  your  plans 
for  the  future.  And  when  your  data  is  on  NetApp,  your  entire  business  pulses  with  strength  and 
feels  the  beat.  Ideas  flow,  breakthroughs  happen,  markets  are  tapped —and  even  created. 

At  NetApp,  we’re  committed  to  bringing  you  storage  and  data  management  solutions  built 
to  keep  the  heart  of  your  business  beating  with  strength  and  efficiency.  Learn  how 
we  help  your  business  go  further,  faster.  Visit  netapp.com/heart. 


NetApp 

■  V,  Go  further,  faster 

i 

NetApp.  All  rights  reserved.  Specifications  subject  to  change  without  notice.  NetApp  and  the  NetApp  logo  are  registered  trademarks  of  NetApp.  Inc  in 
••  '  '  -C  V.S.  and  other  cPun,rles-  All  other  brands  or  products  are  trademarks  or  registered  trademarks  of  their  respective  holders  and  should  be  treated  as  such. 
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12  UC  early  adopters  tout  benefits. 
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18  Novell  CEO  picking  his  battles. 

30  Opinion  Andreas  Antonopoulos: 

Security  in  a  bubble. 

32  SPECIAL  FOCUS:  Storage  revolution 
shuffling  IT  jobs. 

30  Opinion  Scott  Bradner:  Irrelevant 
victories  in  the  war  on  spam. 


COOL 

TOOLS 


■  The  Dymo  DiscPainter  lets  you  pro¬ 
duce  professional-looking  CDs  and 
DVDs.  See  Cool  Tools,  page  23. 
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50  Opinion  BackSpin:  Reviewing  your 
top  IT  hates. 


30  Opinion  Johna  Till  Johnson: 
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24  Processor  wars  heat  up. 

24  Microsoft,  Intel  pour  $20  million  into 
parallel  computing  research. 

APPLICATION  SERVICES 

50  Opinion  ’Net  Buzz:  No  PR  purge 
here,  says  security  vendor. 

SERVICE  PROVIDERS _ 

11  U.S.  government  to  award  flood  of 
telecom  deals. 

25  Verizon  moves  to  open  net  access. 


TECH  UPDATE 

22  Unlock  the  value  of  logs. 

23  Mark  Gibbs:  Working  with  NSIS’ 
screensaver  installer. 

23  Keith  Shaw:  Huzzah!  Stuff  works! 
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GOODBADUGLY 

Stretching  802.11,s  range 

Intel  has  demonstrated  a  modified 
802.11  radio  link  with  a  data  rate  of 
around  6Mbps  and  a  range  of  more  than 
60  miles.  Intel  achieved  this  extraordi¬ 
nary  range  using  off-the-shelf  hard¬ 
ware,  including  parabolic  antennas,  for 
its  project,  dubbed  the  rural  connectiv¬ 
ity  platform  (RCP),  that  borrows  an 
approach  used  in  cellu¬ 
lar  networks. 

Arthur  C.  Clarke 

Science  fiction  writer 
and  inventor  Sir  Arthur 
C.  Clarke  died  last 
week  at  his  home  on 
the  island  nation  of  Sri 
Lanka  at  the  age  of  90. 

Clarke's  greatest  contri¬ 
bution  to  technology  was 
creating  the  conceptual 
framework  for  geo¬ 
stationary  satellites. 

Lockdown  down 
for  the  count 
Network-access- 
control  start-up 
Lockdown  Networks 
has  shut  down  operations,  becoming 
another  in  what  has  become  a  string  of 
vendors  floundering  in  the  network 
access  arena.The  company  blamed  its 
failure  on  economic  trends  and  slower 
than  predicted  adoption  of  NAC. 
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Shh  . . . 

Re:  Hannaford  supermarket  chain  discloses 
data  breach  involving  credit,  debit  cards 
(www.nwdocfinder.com/  4127): 

Spectacular  announcements  about  massive 
data  security  breaches  do  the  public  little 
good.  [Their]  implication  is  that  some  data  is 
more  exposed  than  other  data.  As  a  practical 
matter,  that  is  false.  All  personally  identifiable 
data  is  more  or  less 
exposed  all  the  time. 

And  successful  ex¬ 
ploitation  of  that  data 
by  an  identity  thief 
requires  a  lot  of  work 
and  luck.  Socially 
responsible  data  hol¬ 
ders  should  set  a 
high  threshold  of 
proof  before  con¬ 
cluding  that  a  “data 
security  breach”  worthy  of  announcement 
has  occurred  for  any  given  unit  of  data 
(data  holders  should  of  course  consult 
their  attorneys). 

Benjamin  Wright 

Discuss  at  www.nwdocfinder.com/4128 


not  even  big  enough  for  Cisco,  it  would  not  be 
the  first  time  that  they  walked  away  from  a 
technology  NAC  is  all  about  fixing  failures  in 
Windows,  which  Microsoft  will  eventually 
include  or  fix  itself.  In  the  next  six  months  NAC 
is  going  to  struggle  with  the  release  of  WinXP 
SP3  and  Vista  SP1,  which  will  probably  break 
NAC  clients  everywhere.  You  can’t  choose  to 
ignore  these  because  of  all  the  security  fixes. 

The  rise  of  Mac  and 
Linux  desktops  means 
that  the  NAC  develop¬ 
ment  resources  will 
be  stretched  to  pro¬ 
vide  coverage  and 
that  will  probably  lead 
to  a  failure  to  take 
hold  in  the  market. 

NAC  might  work  for 
some  people,  but  it 
isn’t  going  to  work  for 
most  people.  That  means  a  non-viable  market. 
Exit  NAC,  stage  left. 

No  one  will  miss  it;  the  current  solution  is  a 
mess  and  needs  to  be  replaced. 

Greg  Ferro 

Discuss  at  www.nwdocfinder.com/4162 
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all  the  time.  And  successful 
exploitation  of  that  data  by 
an  identity  thief  requires  a  lot 
of  work  and  luck.  ** 


IT  for  president! 

Re:  How  IT  pros  could  sway  ’08  election 
(www.nwdocfinder.com/4129):  If  we  wanted 
to  influence  anything,  we  should  unionize,  like 
the  airline  pilots. 

Gordon  102 

Discuss  at  www.nwdocfinder.com/4130 

Would  never  work 

Re:  The  above  comment:  Unionizing  would 
be  good  if  only  we  had  any  power  at  all.  Most 
companies  would  just  hire  around  us  and 
then  laugh  their  heads  off.  Pilots,  on  the  other 
hand,  fly  planes. That’s  not  just  something  any¬ 
one  can  do! 

Anon. 

NAC  is  just  a  niche  technology 

Re:  Another  NAC  vendor  bites  the  dust:  Cisco 
to  blame?  (www.nwdocfinder.com/4162): 
NAC  is  a  niche  solution  for  specific  vertical 
markets  such  as  military/police.  This  space  is 
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IT  hates,  redux 

Re:  My  top  eight  IT  hates  (www.nwdocfind 
er.com/4131):  When  I  delete  something,  just 
let  it  go  away;  don’t  doublecheck;  that’s 
what  the  recycle  bin  or  trashcan  are  for.  If 
your  software  doesn’t  [let  you]  retrieve 
deleted  documents/whatevers,  maybe  it 
should,  e.g.,  DOS/Windows  (any  version), 
Network  World  iDemand  software. 

Some  bloggers  that  don’t  blog,  but  feel  the 
need  to  post  something,  even  if  it  is  just  a  link 
to  something  else.  If  I  read  your  blog,  it  is 
because  for  whatever  reason  I  am  looking  for 
your  thoughts  on  the  subject  you  write  about; 
I  am  not  looking  to  you  for  content  aggrega¬ 
tion  without  your  commentary 

Lon  Feuerhelm 

Discuss  at  www.nwdocfinder.com/4132 

How  Microsoft  should  have 
named  its  operating  systems 

Re:  Price  cuts  won’t  solve  Vista’s  problems, 
says  analyst  (www.nwdocfinder.com/4135): 

If  the  Longhorn  name  were  kept,  this  would 
be  my  naming  list: 

Vista  Starter  Edition:  Shorthorn  Lite 

Vista  Basic:  Shorthorn 

Vista  Home  Premium:  Longhorn 

Vista  Business:  Longhorn  Utility 

Vista  Ultimate:  Longhorn  Fatted  Prime 

And  guess  what  the  name  for  the  PDA  edi¬ 
tion  would  be? 

Answer:  Shoehorn. 

LCarliner 

Discuss  at  www.nwdocfinder.com/4136 

E-mail  letters  to  jdix@nww.com  or  send  them  to 
John  Dix,  editor  in  chief,  Network  World,  118 
Turnpike  Road,  Southborough,  MA  01 772.  Please 
include  phone  number  and  address  for  verification 
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Download  our  white  paper  today  and  find  out  how  you  can  manage  your  physical  and  virtual  world 
from  one  common  interface.  Visit  www.avocent.com/nworld 


Your  organization  is  global  and  so  is  your  IT  infrastructure.  Some  days  that  means 
you  need  to  operate  and  solve  problems  in  12  time  zones.  With  Avocent,  you  can 


V;, ;  solve  most  any  crisis  that  the  network  gremlins  can  throw  at  you  without  leaving 

your  desk  or  using  your  passport. 


Avocent  infrastructure  solutions  put  complete  manageability  at  your  fingertips.  We’ve  combined  our  innovative 
and  powerful  hardware  and  easy-to-use  software  to  enable  remote  access  and  control  of  literally  any  system  on 
the  planet.  At  anytime.  From  anywhere,  • 
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Follow  these  links  to  more  resources  online 


COOL  TOOLS: 


Printing  in  circles 

Keith  Shaw  is  mesmer¬ 
ized  by  the  Dymo 
DiscPainter's  ability  to 
seemingly  paint  in  con¬ 
centric  circles.  Plus  he 
loves  making  cool 
graphics  for  his  DVDs. 

www.nwdocfinder.com/41 44 


INTERVIEWS,  THE  COOLEST  TOOLS  AND  MORE 


IDG  NEWS  WIRE: 


Control  computers 
with  brain  waves 

BrainGate  is  a  new 
technology  where  a  chip 
is  implanted  in  the  brain 
that  picks  up  electrical 
impulses.  A  computer 
then  interprets  those 
impulses  as  actions. 

www.nwdocfinder.com/41 45 


Panasonic's  shows 
new  Wi-Fi  cameras 

Panasonic's  Lumix 
DMC-FX500  comes 
with  a  touch  screen  for 
tracking  objects  in  the 
shot  and  the  DMX-TZ50 
packs  Wi-Fi  for  picture 
uploading. 

www.nwdocfinder.com/41 46 
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How  Ancor  met  its  service- 
level  agreement  with  Ford 


I BLOGOSPHERE 

■  Firewall  obsolescence.  New  security 
blogger  Richard  Stiennon  writes:  For  too 
long  I  have  been  gagged  by  my  position  as 
head  of  marketing  for  a  vendor*.  My  fellow 
bloggers  had  a  tendency  to  call  "marketing 
foul!"  when  I  used  my  blog  to  propound  my 
beliefs.  Now  that  I  am  once  more  a  free 
agent  there  is  some  ground  to  be  covered. 
Let  me  reminisce  for  a  minute  on  the  histo¬ 
ry  of  the  firewall  industry  through  the  eyes  of 
well,  me.  www.nwdocfinder.com/4137 

■  Wal-Mart’s  ‘greenest’  store 
devours  45%  less  energy.  Layer  8 
writes:  Retail  giant  Wal-Mart  opened  what 
it  called  it  most  energy  efficient  store  ever 
—  one  that  will  use  up  to  45%  less  energy 
than  its  current  Supercenters.  The  build¬ 
ing,  in  southwest  Las  Vegas,  is  engineered 
specifically  for  the  region’s  desert  climate, 
Wal-Mart  said. 

www.nwdocfinder.com/4138 

■  Hackers  hijack  routers  and  black¬ 
mail  companies  to  regain  access.  Cisco 
engineer  Brian  Wilson  recalls  stories  from 
Black  Hat  2008  in  which  large  companies 
have  had  their  routers  hijacked  and  the 
hackers  blackmailing  them  for  cash  in 
return  for  access.  One  company  paid  up 
saying  it  was  cheaper  to  do  so  than  to  carry 
out  password  recovery. 
www.nwdocfinder.com/4139 

■  Top  20  most  braindumped  certifica¬ 
tion  vendors.  Certification  Integrity  blog¬ 
gers  Robert  Williams  andTaylor  Ripley  detail 
the  industry’s  top  20  vendors  that  have  the 
most  braindump  sites  posting  up  answers  to 
their  certification  exams  and  ask  what  are 
the  vendors  doing  about  this  problem. 
www.nwdocfinder.com/4140 

■  Hyper-V  leaves  Linux  out  in  the  cold. 

Microsoft  Subnet  blogger  Mitchell  Ashley 
writes:  No  offense  to  SUSE  Enterprise 
Server  crowd,  but  only  providing  SUSE  sup¬ 
port  in  Hyper-V  is  a  huge  mistake.  By  not 
supporting  Red  Hat,  Fedora,  CentOS,  and 
BSD,  Microsoft  is  telling  us  Hyper-V  is  a 
Microsoft  only  technology.  More  Mt. 
Redmond,  Microsoft  center  of  the  universe 
thinking.  That's  disappointing.  Sure,  if  you 
are  a  Microsoft  only  shop,  Hyper-V  will  be 
an  option  for  virtualization.  But  so  will 
VMware  and  XenServer.  But  if  you  run  a 
mixed  shop,  Hyper-V  won't  solve  your  prob¬ 
lems  alone  —  you'll  have  to  also  add 
VMware  or  Xen  to  your  virtualized  data  cen¬ 
ter  portfolio.  Or  just  go  with  VMware  and 
Xen  and  forego  Hyper-V. 
www.nwdocfinder.com/4150 


Storage:  Eric  Mynster  was  faced  with  a  prob¬ 
lem.  As  corporate  IT  manager  for  Ancor 
Information  Systems,  the  Troy  Mich.,  supplier 
of  customized  print  and  electronic  document 
services,  Mynster  had  servers  he  needed  to 
protect  and  make  sure  they  were  always  avail¬ 
able  to  meet  the  service-level  agreements  he 
had  set  for  customer  Ford  Motor  Company 
Ancor  provides  clients  such  as  Ford  with  the 
ability  to  view  online  files  for  automobile  win¬ 
dow  stickers  and  any  type  of  paper  label  that 
goes  into  a  vehicle.  The  company  prints  as 
many  as  60,000  to  100,000  VIN-specific  docu¬ 
ments  for  Ford  each  day  “One  of  the  services 
we  provide  to  our  clients  is  online  PDF  view¬ 
ing  for  window  stickers,  bills,  policies,  etc.,” 
Mynster  says. 

www.nwdocfinder.com/4141 

Network/systems  management:  A  day 

doesn’t  go  by  without  some  survey  study  or 
research  report  informing  the  public  that  the 
U.S.  high-tech  industry  is  desperately  lacking 
skilled  IT  workers.  Such  commentary  also 
coincides  with  news  that  Microsoft  reportedly 
has  more  than  4,000  job  openings  and  com¬ 
pany  Chairman  Bill  Gates  is  lobbying  for 
Congress  to  raise  the  controversial  H-1B  visa 


cap  to  allow  U.S.  companies  to  hire  more  for¬ 
eign  nationals  and  fill  those  empty  positions. 
To  fan  the  flames  of  the  growing  workforce 
panic,  many  IT  industry  watchers  comment 
on  the  fact  that  baby  boomers  will  be  eligible 
to  retire  in  the  next  few  years.  And  as  this  sea¬ 
soned  workforce  moves  on  to  consulting,  part- 
time  positions  or  true  retirement,  the  number 
of  computer  and  technology  graduates  is 
dwindling  —  leaving  what  many  forecast  to 
be  a  huge  talent  loss  for  the  industry. 
www.nwdocfinder.com/4142 

Wireless:  The  ruthless  atmosphere  in  the 
wireless  LAN  industry  is  reminiscent  of  five 
years  ago,  when  the  fat-vs.-thin  access  point 
and  centralized  architecture  wars  were  peak- 
ing.Today  the  impetus  for  WLAN  vendors  to 
sling  mass  quantities  of  mud  at  each  other,  of 
course, is  802.1  In. The  802.1  In  carrot  is  dan¬ 
gling  deliciously  in  front  of  WLAN  veterans 
and  start-ups  alike  while  enterprises  re-evalu¬ 
ate  their  WLAN  plans  and  vendors  in  anticipa¬ 
tion  of  over-the-air  Ethernet  speeds  and  a 
forthcoming  standard  with  a  decent  degree  of 
longevity  The  competitive  zeal  is  spurring 
some  fairly  tall  tales. 
www.nwdocfinder.com/4149 
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3Com  deal  falls  apart 

Bain  Capital  Partners  and  China’s  Huawei  Technologies  have  abandoned  their 
$2.2  billion  bid  to  buy  3Com  because  of  security  concerns  by  the  U.S.  gov¬ 
ernment.  The  companies  said  last  month  that  the  proposed  purchase  of 
3Com  was  on  hold  because  of  security  concerns  at  the  U.S.  Committee  on  Foreign 
Investment  in  the  United  States,  but  they  announced  last  Thursday  that  the  deal 
was  terminated  because  CFIUS  intended  to  take  action  to  prohibit  the  sale.  Bain, 
based  in  Boston,  would  have  controlled  an  83.5%  stake  in  3Com,  with  China’s 
Huawei  getting  the  remainder.  Critics  had  raised  concerns  that  Huawei  has  strong 
ties  to  the  Chinese  government.www.nwdocfinder.com/4153 


Microsoft  acquires  Komoku.  Microsoft 
hopes  to  beef  up  its  security  capabilities  with 
the  acquisition  of  Komoku,  a  developer  of 
rootkit  detection  products.  Microsoft  plans  to 
add  Komoku’s  technology  into  its  Forefront 
and  Windows  Live  OneCare  products. 
Forefront  is  Microsoft’s  suite  of  enterprise 
security  software  that  includes  malware  pro¬ 
tection  for  PCs,  security  tools  for  Exchange 
and  ShareFbint  servers,  and  gateways  that 
secure  remote  access  to  corporate  data. 
OneCare  is  a  package  of  security  software  for 
PC  users  that  scans  for  viruses  and  spyware, 
backs  up  files  and  helps  with  network  man¬ 
agement.  Financial  terms  of  the  deal  were  not 
disclosed,  www.nwdocfinder.com/4154 


campaigns  and  promotional  videos  on  You¬ 
Tube.  The  videos  often  repeat  information  in 
the  companies’  press  releases  and  are  posted 
to  coincide  with  traditional  spam  e-mail  cam¬ 
paigns,  the  SEC  charged. The  commission  sus¬ 
pended  NeoTactix,  Graystone  Park  Enterprises 
and  Younger  America,  saying  in  addition  to 
the  spam,  each  has  inadequately  disclosed  its 
assets,  business  operations  and  financial  con¬ 
dition. The  trading  suspensions  will  last  10 
business  days.Through  its  Anti-Spam  Initiative, 
the  SEC  has  suspended  trading  in  the  securi¬ 
ties  of  50  companies  and  has  brought  several 
enforcement  actions  against  spammers,  pro¬ 
moters  and  insiders. 
www.nwdocfinder.com/4156 


U.S.  names  head  of  new  cybersecurity 
center.  Tech  entrepreneur  and  author  Rod 
Beckstrom  has  been  named  the  first  director 
of  the  new  National  Cyber  Security  Center  at 
the  U.S.  Department  of  Homeland  Security 
Beckstrom,  founder  of  Cats  Software  and  co¬ 
founder  of  Twiki.net,  a 
company  offering  an 
open  source  wiki  soft¬ 
ware  system,  will  head 
the  center,  created  by 
President  George  Bush 
in  a  January  directive. 
In  addition  to  found¬ 
ing  a  handful  of  tech 
companies  and  non¬ 
profit  groups, 
Beckstrom  is  co¬ 
author  of  the  book,  The  Starfish  and  the 
Spider:  The  Unstoppable  Power  of  Leaderless 
Organizations,  which  praises  the  nimbleness 
of  decentralized  organizations.  Beckstrom  has 
suggested  the  U.S.  government  could  better 
fight  terrorist  groups  by  taking  a  more  decen¬ 
tralized  approach,  including  using  outsourc¬ 
ing  and  deploying  more  autonomous  special 
operations  units  on  the  battlefield. 
www.nwdocfinder.com/4155 

SEC  suspends  trade  for  three  firms 
over  spam,  YouTube  videos.  The  Securities 
and  Exchange  Commission  last  week  sus¬ 
pended  securities  trading  of  three  companies 
that  have  been  the  subject  of  spam  e-mail 


Survey:  IT  pros  favor  McCain,  Obama. 

By  sheer  number  alone,  IT  professionals  could 
sway  this  year’s  presidential  election,  accord¬ 
ing  to  a  recent  survey  of  600  IT  workers  con¬ 
ducted  by  CompTIA  and  Rasmussen  Reports. 
The  survey  which  took  place  before  the  early 
March  primaries,  revealed  that  the  12  million 
IT  professionals  eligible  to  vote  are  a  larger 
group  than  previously  estimated  and  more 

politically  active 
than  believed  to 
be  in  the  past. 
Among  those 
polled,  39%  said 
they  considered 
themselves  con¬ 
servative,  24% 
called  them¬ 
selves  liberal 

and  36%  referred  to  themselves  as  moderate. 
As  for  candidates,  Senators  John  McCain  and 
Barack  Obama  would  win  the  most  votes 
among  IT  workers  polled,  with  each  garnering 
29%.  Sen.  Hillary  Clinton  was  cited  by  13%. 
www.nwdocfinder.com/4157 


Lawsuits  target  eBay  sellers  of  coun¬ 
terfeit  software.  The  Software  &  Informa¬ 
tion  Industry  Association  has  filed  eight  new 
lawsuits  against  eBay-based  software  sellers, 
alleging  that  they  are  selling  counterfeit  prod- 
ucts.The  lawsuits  were  filed  on  behalf  of 
Adobe  Systems  and  are  among  more  than  25 
lawsuits  SIIA  has  filed  against  eBay  sellers  in 


the  last  two  years. The  most  recent  lawsuits 
accuse  eBay  sellers  with  selling  illegal  copies 
of  Adobe  PhotoShop  CS3  and  other  software. 
SIIA  officials  have  approached  eBay  about 
ways  to  cut  down  on  the  sale  of  counterfeit 
software,  but  eBay  has  rejected  the  ideas,  the 
trade  group  says.  SIIA  has  estimated  that 
about  90%  of  software  sold  on  eBay  is  illegal. 
www.nwdocfinder.com/4158 

Search  wars:  Google’s  share  up,  Yahoo 
and  Microsoft  down.  Google  continued  to 
increase  its  share  of  the  U.S.  search  market  in 
February  widening  the  gap  that  Microsoft 
hopes  to  fill  by  buying  Yahoo.  In  February 
Google’s  share  of  core  searches  by  U.S. 
Internet  users  rose  to  59.2%,  up  from  58.5%  in 
January  according  to  market  research  compa¬ 
ny  comScore.  During  the  same  period, Yahoo’s 
share  slipped  to  2 1.6%,  from  22.2%  a  month 
earlier,  while  Microsoft’s  share  slipped  to  9.6% 
from  9.8%.  AOL  is  clinging  to  a  4.9%  share, 
while  Ask  saw  its  share  rise  slightly  to  4.6% 
from  4.5%  in  January 
www.nwdocfinder.com/4159 

Hannaford  breach  spurs  class-action 
lawsuits.  Two  class-action  lawsuits  have  been 
filed  on  behalf  of  customers  of  Hannaford 
Bros,  supermarket  chain,  which  on  March  17 
acknowledged  a  data  breach  that  exposed 
card  numbers  involved  in  4.2  million  credit 
and  debit  transactions,  leading  to  about  2,000 
cases  of  reported  fraud.  Security  breaches 
occurred  from  Dec.  7  to  March  10  and  in¬ 
volved  165  Hannaford  stores  in  the  Northeast, 
106  Sweetbay  stores  in  Florida  and  some  inde¬ 
pendent  stores  in  the  Northeast  selling 
Hannaford  products.The  breach  is  nowhere 
near  as  large  as  the  TJX  breaches  that  began 
in  2005  and  involved  at  least  45.7  million  cred¬ 
it  and  debit  cards.  But  it  has  placed  a  renewed 
public  emphasis  on  the  retail  industry’s  failure 
to  protect  all  customer  data. 
www.nwdocfinder.com/4160 

U.S.  sets  H-1B  lottery  rules.  With  less 
than  two  weeks  to  go  before  the  start  of  the 
H-1B  visa  rush,  the  U.S.  Citizenship  and 
Immigration  Service  released  rules  to  pre¬ 
vent  applicants  from  trying  to  unfairly  boost 
their  odds  in  the  expected  visa  lottery  Under 
the  new  rules,  the  USCIS  will  prohibit  com¬ 
panies  from  filing  multiple  H-1B  petitions  for 
the  same  employee.  If  caught,  prospective 
employers  risk  having  all  of  their  petitions 
for  H-1B  visas  denied  or  revoked. The  United 
States  will  begin  accepting  visas  on  April  1 
for  the  2009  fiscal  year  that  begins  Oct.  l.The 
USCIS  will  hold  a  lottery,  similar  to  what  it 
did  last  year,  if  it  receives  more  than  65,000 
visa  applications  under  the  H-1B  cap.  An 
additional  20,000  visas  will  be  available  for 
foreign  nationals  who  receive  advanced 
degrees  from  U.S.  universities. 
www.nwdocfinder.com/4161 
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SIMPLIFY  AND  MANAGE  YOUR  I.T.  WITH  A  SINGLE  CHASSIS. 


OR  $119/MONTH  FOR  36  MONTHS1 

Introducing  IBM  BladeCenter  S  Express.  Now  you 
can  combine  blade  servers,  storage,  switches  and 
management  tools  in  one  small  chassis.  It’s  easy  to 
set  up.  Easy  to  use.  Easy  to  manage.  It’s  a  simple 
way  to  simplify  your  IT. 

From  the  people  and  Business  Partners  of  IBM: 

It’s  innovation  made  easy. 


PN:  8886E1U _ 

Up  to  six  application  blades  with  the  ability  to  expand  to  multiple 
virtual  blades 

Integrated  storage  built  into  the  chassis  -  3.6TB  SAS  or  6TB  SATA 
3-year  customer  replaceable  unit  and  on-site  limited  warranty2 


IBM  BLADECENTER  HS21  EXPRESS 

$2,359  (SAVE  $249) 

OR  S62/M0NTH  FOR  36  MONTHS’ 

PN: 8853E1U _ 

Features  up  to  two  high-performance  Dual-Core  or  Quad-Core  Intel® 

Xeon®  Processors 

1GB  standard/16GB  maximum  memory  per  blade  (32GB  with  Memory  and 
I/O  Expansion  Unit) 

3-year  customer  replaceable  unit  and  on-site  limited  warranty2 


IBM  SYSTEM  STORAGE  DS3300  EXPRESS 

$4,545  (SAVE  $450) 

OR  $1 20/MONTH  FOR  36  MONTHS' 

PN: 172631 E 

Support  for  dual-port  and  hot-swappable  SAS  disks  at  10,000  and  15,000 
RPM  speeds 

Expandable  by  attaching  up  to  three  EXP3000s  or  a  totalof48  hard  disk  drives 

3-year  limited  warranty  on  parts  and  labor2 


IBM  Express  “Bundle  and  Save” 

"=  =_r  =.=  express 

We  bundle  our  Express  systems  to  give  you  the 

- - t-  advantaae 

accessories  you  need  -  while  saving  you  money  on 

the  hardware  you  want.  Act  now.  Available  now  through 

ibm.com/systems/onebox 

ibm.com  and  IBM  Business  Partners. 

1  866-872-3902  (mention  6N8AH01A) 

!  IBM  Global  Financing  offerings  are  provided  through  IBM  Credit  ILC  in  the  United  States  and  other  IBM  subsidiaries  and  divisions  worldwide  to  qualified  commercial  and  government  customer.  Monthly  payments  provided  ate  lor  planning  purposes 
only  and  may  vary  based  on  y  our  credit  and  other  (actors.  Lease  offer  provided  is  based  on  an  FMV  lease  of  36  monthly  payments.  Other  restrictions  may  apply.  Rates  and  offerings  are  subject  to  change,  extension  or  withdrawal  without  notice 
2.  IBM  hardware  products  are  manufactured  from  new  parts,  nr  new  and  serviceable  used  pads.  Regardless,  our  warranty  terms  apply  For  a  copy  of  applicable  product  warranties,  visit  :brn  com/servers,  support/machine.warranties  or  write  to  Warranty 
Information.  PO.  Box  12195,  RTR  NC  27709.  Attn:  Dept  JDJA/B203  IBM  rnakes  no  representation  or  warranty  regarding  third-party  products  or  services,  including  those  designated  as  ServerProven*  or  ClusterProven*  Telephone  support  may  be  subject  to 
additional  charges  For  on  -site  labor.  IBM  will  attempt  to  diagnose  and  resolve  the  problem  remotely  before  sending  a  technician.  On-site  warranty  is  available  only  tor  selected  components.  Optional  same-day  service  response  is  available  on  select  systems 
at  an  additional  charge  IBM,  the  IBM  logo.  IBM  Express  Advantage.  IBM  BladeCenter,  System  x  and  System  Storage  are  trademarks  or  registered  trademarks  ot  International  Business  Machines  Corporation  in  the  United  Stares  and/or  other  countries 
For  a  complete  list  of  IBM  trademarks,  see  ibm  com/legal/copytrade.shtml.  Intel  and  Xeon  are  registered  trademarks  of  Intel  Corporation.  All  other  products  may  be  trademarks  or  registered  trademarks  of  their  respective  companies  All  prices  and 
savmgs  estimates  are  based  upon  IBM  s  estimated  retail  selling  prices  as  of  August  1. 2007.  Prices  and  actual  savings  may  vary  according  to  configuration  Resellers  set  their  own  prices,  so  reseller  prices  and  actual  savings  to  end  users  may  vary 
Products  are  subject  unavailability.  This  document  was  developed  tor  offerings  in  the  United  States  IBM  may  not  otter  the  products,  features,  or  services  discussed  in  this  document  in  other  countries.  Prices  are  subject  to  change  without  notice 
Starting  price  may  not  include  a  hard  drive,  operating  system  or  other  features.  Contact  your  IBM  representative  or  IBM  Business  Pariner  tor  the  most  current  pricing  in  your  geographic  area  ©2007  IBM  Corporation  All  rights  reserved. 
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U.S.  government  to  award 
flood  of  telecom  deals 


BY  CAROLYN  DUFFY  MARSAN 

Last  week,  AT&T  won  a  10-year,  $20  million 
deal  to  provide  voice  services  to  U.S.  Customs 
and  Border  Protection,  an  agency  with  strin¬ 
gent  security  requirements  and  47,000 
employees  nationwide. 

AT&T  won  the  deal  as  a  task  order  under  the 
massive  Networx  program,  which  will  provide 
voice,  data,  video  and  wireless  services  to  the 
entire  U.S.  federal  government  for  the  next 
decade.  The  General  Services  Administration 
(GSA)  awarded  Networx  last  year  to  AT&T, 
Verizon  Business,  Qwest,  Sprint  Nextel  and 
Level  3  Communications. 

Networx  was  billed  as  the  largest  telecom 
deal  in  the  world.  But  until  now,  the  amount  of 
business  awarded  under  the  program  has 
been  a  mere  trickle.  Federal  telecom  vendors 
expect  the  trickle  to  turn  into  a  flood  this 
spring  and  summer. 

At  least  a  dozen  Networx  deals  are  due  for 
award  by  the  end  of  September,  when  the 
federal  fiscal  year  ends. That’s  because  GSA’s 
pool  of  funding  that  agencies  can  use  to 
transition  to  the  Networx  program  from  the 
predecessor  FTS  2001  contract  will  dry  up  in 
September. 

“Every  large  agency  is  going  to  make  a  large 
Networx  procurement  in  this  calendar  year," 
predicts  Jeff  Mohan,  executive  director  of 
AT&T’s  Networx  program  office.  “The  GSA  has 
some  transition  funds  that  are  available,  so 
agencies  can  avail  themselves  of  those  funds 
if  they  make  their  decision  by  the  end  of 
September.  They  don’t  have  to  do  the  imple¬ 
mentation,  just  select  a  vendor." 

“There  are  a  lot  of  deals  coming  in  the  next 
six  months,"  agrees  Diana  Gowen,  senior  vice 
president  and  general  manager  of  Qwest 
Government  Services.“People  waited  until  the 
last  minute  to  start  the  transition  to  Networx 
before  all  the  GSA  transition  dollars  are  going 
to  be  used  up." 

Networx  is  divided  into  two  parts:  Universal 
and  Enterprise.  Networx  Universal  provides 
comprehensive  telecom  services  globally,  and 
it  is  shared  by  AT&T, Verizon  and  Qwest. 

Networx  Enterprise  is  geared  toward  emerg¬ 
ing  IP  and  wireless  services  nationally  and  is 
shared  by  AT&T,  Verizon,  Qwest,  Sprint  and 
Level  3. 

Networx  Universal  was  awarded  in  March 
2007,  and  Networx  Enterprise  was  awarded  in 
May  2007. 

Only  three  large  deals  have  been  awarded 
under  Networx  so  far,  and  all  of  them  were 
from  Networx  Universal. 

The  first  Networx  deal  was  a  $1  billion  voice 
and  data  services  contract  that  the  Treasury 
Department  awarded  to  AT&T.  The  Treasury 


Network,  known  as  TNet,  will  be  a  secure 
MPLS  network  spanning  1,000-plus  locations 
and  supporting  more  than  100,000  employees. 

The  other  two  sizeable  Networx  awards 
were:  AT&T’s  $20  million  voice  services  deal 
with  Customs, which  includes  local,  long-dis¬ 
tance  and  toll-free  telephone  service,  calling 
cards  and  audio  conferencing;  and  Verizon’s 
recent  win  of  the  Coast  Guard’s  voice  and 
private  line  data  services,  which  has  an  esti¬ 
mated  value  of  more  than  $50  million. 
(Verizon  hasn’t  disclosed  the  dollar  value  of 
the  Coast  Guard  deal.) 

Federal  telecom  vendors  say  a  backlog  of 
Networx  deals  will  be  awarded  soon. 


HERE  GOMES  THE  BIG  ONE 

The  biggest  Networx  deal  on  the 
horizon  is  the  Department  of 
Homeland  Security’s  OneNet,  a 
consolidated  backbone  network 
that’s  due  for  award  in  April. 
AT&T,  Verizon  and  Qwest  have 
submitted  bids. 


“It  takes  time  for  people  to  decide  how 
they  want  to  [transition]  and  to  have  dis¬ 
cussions  with  the  vendors,"  says  Susan 
Zeleniak,  group  president  of  Verizon 
Business.  “We’re  starting  to  see  more  state¬ 
ments  of  work  come  out  from  the  agencies, 
and  we’re  expecting  a  pretty  steady  flow 
now  through  summer.  GSA  has  indicated 
that  they  have  several  of  them. . ..The  wheels 
on  Networx  are  starting  to  turn.” 

The  biggest  Networx  deal  on  the  horizon  is 
the  Department  of  Homeland  Security’s 
OneNet,  a  consolidated  backbone  network 
that’s  due  for  award  in  April.  OneNet  was  bid 
under  Networx  Universal,  and  AT&T,  Verizon 
and  Qwest  have  submitted  bids. 

Other  agencies  that  have  issued  statements 
of  work  under  Networx  include  the  Federal 
Emergency  Management  Agency,  the 
Department  of  Transportation  and  the 
Department  of  Energy  Agencies  planning  to 
fill  their  data  requirements  through  Networx 
include  the  Social  Security  Administration,  the 
Department  of  the  Interior  and  the  Labor 
Department.  The  Department  of  Defense  is 
expected  to  fill  its  voice  requirements  through 
Networx,  too. 

“Networx  Universal  is  getting  the  majority  of 
the  work,"  Gowen  says.“It’s  not  a  surprise,  but 

See  Networx,  page  46 
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Microsoft's  Hyper-V  a  step 
closer  to  final 

Microsoft  has  released  a  feature-complete 
beta  of  Hyper-V  and  said  it  is  on  track  to 
ship  its  virtualization  technology,  which  has 
gone  through  numerous  delays,  by  August. 
The  latest  Hyper-V  beta  is  near-final  code 
and  includes  updates  from  the  beta  that 
shipped  in  late  February  when  Windows 
Server  2008  was  released.  With  Hyper- V’s 
shipment  Microsoft  will  add  a  third  hypervi¬ 
sor  option  to  go  along  with  those  already 
available  from  VMware  and  Xen-based 
derivatives  marketed  by  Citrix  Systems, 
Oracle,  Red  Hat  and  Novell. 

BMC  puts  up  $800  million  for 
BladeLogic 

BMC  plans  to  acquire  data  center 
automation  vendor  BladeLogic  in  an  $800 
million  deal  that  would  boost  its  business 
service  management  and  automation 
products.  “We  coveted  this  business  for  a 
long  time,"  said  Bob  Beauchamp,  BMC’s 
president  and  CEO.  “Convincing  them  to 
sell  was  not  an  easy  process,  and  we 
were  not  the  only  company  interested  in 
buying  them.”  Industry  watchers  specu¬ 
lated  since  HP  acquired  Opsware  for  $1.6 
billion  last  year  that  BladeLogic’s  asking 
price  grew  exponentially  and  vendors 
such  as  BMC,  CA  and  IBM  were  looking 
to  buy  the  hot  technology.  BladeLogic 
started  its  business  in  2001  as  an  auto¬ 
mated  server  provisioning  company  and 
expanded  its  technology  to  also  update, 
patch  and  configure  virtual  and  physical 
machines. 

Web  2.0  at  its  peak? 

U.S.  investments  in  Web  2.0  companies 
reached  an  all-time  high  of  $1.34  billion  in 
2007,  almost  double  the  previous  year's 
total.  But  one  company  —  Facebook  — 
accounted  for  22%  of  that  windfall,  and 
the  total  number  of  investments  seems  to 
be  leveling  off  after  several  years  of 
meteoric  growth,  Dow  Jones 
VentureSource  said  in  new  research. 
"From  2002  to  2006,  Web  2.0  deal  flow  dou¬ 
bled  every  year,  but  2007  saw  deals 
increase  25%  to  178  from  143  deals  in 
2006,"  the  firm  reported.  Facebook  took  in 
$300  million,  including  $240  million  from 
Microsoft,  the  biggest  Web  2.0  venture 
capital  deal  of  the  year.  Coming  in  a  dis¬ 
tant  second  was  Ning,  a  company  that  lets 
users  create  their  own  niche  social  net¬ 
works  and  which  raised  $44  million  from 
venture  capitalists. 
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UO  early  adopters  tout  benefits 

Interoperability  between  unified  communications  products  is  a  concern 


BY  TIM  GREENE 

ORLANDO  —  Businesses  presenting  their 
stories  at  last  week’s  VoiceCon  Orlando  2008 
are  finding  that  unified  communications  can 
increase  productivity  reduce  costs,  speed  up 
customer  service  and  even  do  good  things  for 
the  environment. 

The  downside  they  see  going  forward  is  the 
lack  of  interoperability  that  will  give  them  free 
choice  among  vendors,  they  say  (UC  was  a  big 
theme  at  VoiceCon.  Read  more  at  www.nwdoc 
finder.com/4147.) 

Dennis  Schmidt, senior  vice  president  for  net¬ 
work  services  at  Bank  of  America,  delivered  a 


keynote  address  on  the  company’s  115,000 
Cisco  VoIP  phone  system,  which  has  been  inte¬ 
grated  with  UC  gear  to  provide  presence. 

The  phone  system  has  cut  the  cost  of  sup¬ 
plying  phone  service  to  employees  by  15% 
per  seat  on  average,  Schmidt  said,  crediting 
remote  management  that  means  fewer  trips 
to  branches  to  fix  problems.  With  VoIP  run¬ 
ning  over  the  same  network  as  data,  the  bank 
has  also  saved  on  wiring  up  voice-only  net¬ 
works  in  new  buildings. 

The  system  has  enabled  workers  who  move 
from  building  to  building  to  log  into  an  IP 
phone  and  get  their  presence  registered  to  the 


network,  have  their  calls  routed  to  the  phone 
and  get  their  voice  mail.  “It  becomes  their 
phone,”  Schmidt  says.  Without  VoIP  they  would 
have  to  forward  calls  from  a  dedicated  exten¬ 
sion  somewhere  in  the  network. 

The  VoIP  system  is  green,  too,  Schmidt  said, 
citing  shared  workspaces  that  VoIP  enables  as 
translating  into  less  office  space  to  heat  and 
cool  as  well  as  enabling  employees  to  work  at 
newly  created  suburban  facilities  built  closer 
to  where  they  live  to  reduce  commute  times 
and  the  amount  of  gasoline  used. 

The  bank  uses  wireless  handsets  to  improve 
productivity  of  bank  managers  who  spend 


VoiceCon  Orlando  roundup 


Chambers  meets  Gore,  Microsoft 
meets  Aspect  and  IBM  exec  warns 
of  e-mail's  demise 

Here’s  a  roundup  of  last  week's  VoiceCon  Orlando  2008  action: 

•  Cisco  CEO  John  Chambers  and  formerVice  President  Al 
Gore  teamed  to  discuss  environmental  issues  and  possible  tech¬ 
nological  solutions,  speaking  from  Cisco  telepresence  rooms  in 
San  Jose  and  Nashville,  respectively  (see  photo,  right). The  dis¬ 
cussion  was  moderated  by  a  journalist  in  London  and  hosted  at 
the  show  by  Cisco’s  chief  marketing  officer  Sue  Bostrom,  with 
others  viewing  it  inThe  Netherlands  and  Dubai,  United  Arab 
Emirates.The  point  was  that  dispersed  groups  can  meet  without 
flying  to  the  same  place,  thus  not  contributing  to  carbon-dioxide 
pollution  that  is  the  cause  of  climate  change. 

•  Microsoft  and  Aspect  Software  are  working  on  a  unified  com- 
munications-based  contact  center  that  integrates  with 
Microsoft’s  Office  Communications  Server  2007,  potentially 
pushing  the  joint  products  into  use  in  Fortune  100  companies  that 
are  already  Aspect  customers. The  two  companies  announced  at 
VoiceCon  that  they  have  made  an  alliance  to  develop  the  interop¬ 
erability  and  for  Aspect  to  push  it  as  the  lead  call-center  option 
to  its  customers.  Microsoft  has  also  made  an  equity  investment  of 
an  undisclosed  size  in  Aspect,  the  companies  said. 

•  IBM  foresees  the  demise  of  e-mail,  phones  and  desktops  as 
unified  communications  makes  it  possible  to  replace  them  with 
laptops  and  other  mobile  devices.  In  his  keynote  address  at 
VoiceCon,  IBM  Lotus  General  Manager  Mike  Rhodin  put  forward 
that  prediction  and  several  others  about  how  UC  will  change  the 
way  businesses  interact.  Instant  messaging  will  step  up  as  the 
preferred  means  of  written  communication  around  which  other 
communications  modes  —  voice,  video,  conferencing  —  will 
revolve,  he  predicted.  Laptops  with  voice  and  video  embedded  will 
become  all  that  workers  need  to  support  their  business  needs, 
Rhodin  says,  but  the  transition  will  be  gradual,  he  says.  “It’s  not  a 
rip  and  replace  world,"  Rhodin  said  in  an  interview.  "You  need  to 


VoiceCon 


leverage  what  you’ve  got  already.  Starting  over  is  not  appealing.” 

•  Microsoft  is  working  withTandberg  to  deliver  a  $300  high- 
definition  video  camera  by  next  year  that  it  said  will  bring  high- 
quality  video  conferencing  to  the  mass  of  workers,  not  just  those 
who  can  schedule  time  in  specially  constructed  conference 
rooms.  "Putting  innovation  in  the  high  end  of  video  is  great,"  said 
Gurdeep  Singh  Pall,  Microsoft's  vice  president  of  the  UC  group, 
"but  putting  it  in  the  hands  of  everyday  workers  is  how  you  will 
drive  change.”  UC  needs  to  be  brought  to  the  masses,  and  in  the 
process  that  can  help  solve  the  country’s  current  economic  woes, 
said  Avaya  CEO  Lou  D’Ambrosio  in  a  keynote  address.  UC  can 
add  efficiency,  productivity  and  improved  customer  service  that 
will  make  businesses  perform  better  and  therefore  improve  the 
economy,  he  said. To  further  that  end,  the  company  lastTuesday 
announced  a  set  of  service  and  product  bundles  that  address 
needs  of  different  classes  of  workers. 


—  TIM  GREENE 
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Bank  of  America  senior  vice  president  Dennis  Schmidt  has  seen  worker  produc¬ 
tivity  increase  with  use  of  wireless  VoIP  phones. 


more  time  out  of  their  offices  with  customers 
than  they  could  when  they  had  to  run  back 
to  their  desk  phones.  VoIP  over  wireless 
phones  has  not  been  deployed  to  everyone 
because  Schmidt  believes  the  technology  is 
not  ready  yet. 

One  lesson  learned  by  Bank  of  America  was 
that  setting  up  the  right  team  is  key  “Network 
transformation  is  less  about  technology  and 
more  intensely  about  the  people,  process  and 
organizational  transformation,”  Schmidt  said. 
He  recommended  setting  goals  for  how  many 
VoIP  phones  will  be  deployed  per  month,  then 
sticking  to  those  goals. 

In  its  internal  deployment  of  VoIP  service 
provider  Global  Crossing  decided  to  give  its 
people  a  taste  of  the  technology  and  see 
where  they  took  it, said  Michael  Fuqua, senior 
vice  president  of  information  systems.  It  was 
given  the  broad  goal  of  enabling  depart¬ 
ments  to  use  communications  to  overcome 
business  roadblocks. 

The  provider  uses  Microsoft  Office  Commun¬ 
ications  Server  (OCS)  as  its  UC  platform  in  tan¬ 
dem  with  Nortel  and  Polycom  VoIP  gear. 

The  deployment  strategy  was  to  deliver  OCS 
to  everyone,  Microsoft  Exchange  collaboration 
software  to  40%  of  workers,  VoIP  headsets  to 
10%  and  video  gear  to  less  than  5%.  After  that, 
it  was  up  to  business  units  to  decide  whether 
they  wanted  to  invest  money  from  their  own 
budgets  on  the  gear  to  boost  their  individual 
bottom  lines,  Fuqua  said. 

For  instance,  a  provisioning  application  flags 
potential  problems  setting  up  a  customer  line, 
which  often  requires  consultation  among  pro¬ 
visioning  staff.  By  embedding  communications 
in  the  application,  workers  can  reach  each 
other  by  clicking  within  the  application.  The 
back-end  provisioning  setup  boosted  success¬ 
ful  resolutions  of  issues  on  the  first  try  by  more 
than  20%,  he  says. 

Overall  the  UC  platform  has  resulted  in  30% 
fewer  long-distance  calls  made  by  Global 
Crossing  workers. Some  company  departments 
also  showed  a  20%  reduction  in  travel  costs 
because  workers  collaborated  on  the  network 
rather  than  in  person. That  20%  has  now  been 
mandated  across  the  company,  Fuqua  said. 

The  key  to  UC  success  is  not  about  shoving 
the  technology  down  people’s  throats,  but  in 
improving  the  efficiency  of  workers. “Maintain 
focus  on  applications,”  he  said. 

Black  and  Decker  tools  around  with  UC 

The  focus  at  Black  and  Decker  is  on  three 
things:  accomplishing  business  at  less  cost, 
boosting  revenue  and  serving  customers  bet¬ 
ter,  said  Karen  Dean,  director  of  global  voice 
communications  for  the  company  And  this 
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means  integrating  communications  into  busi¬ 
ness  applications. 

For  instance,  Avaya  VoIP  gear  and  contact 
center  software  has  improved  customer  ser¬ 
vice  in  the  tool-repair  arm  of  the  business, 
Dean  said.  The  company  reduced  the  average 
time  tools  spent  on  the  shelf  in  the  repair  shops 
from  39  days  to  27  by  implementing  auto¬ 
mated  self-service  status  checks  that  blended 
the  phone  system  with  the  repair  database. 

The  company  has  hired  consultants  to  write 
UC  into  its  business  applications,  but  doing  so 
has  become  so  important  that  they  may 
change  the  model.  “The  more  we  do,  we’re 
thinking  about  building  that  expertise  in- 
house,”  Dean  said. 

Application  integration  at  JJ  Food  Service  in 
the  United  Kingdom  has  also  boosted  cus¬ 
tomer  satisfaction  with  its  Cisco  VoIP  gear  and 
its  UC  products,  said  Rif  Kiamil.the  company’s 
IT  manager. 

The  JJ  Food  call  center  takes  caller  ID  infor¬ 
mation,  relates  that  to  a  database  and, say,  if  the 
customer  calling  is  known  to  speak  French,  the 
call  is  automatically  directed  to  a  French- 
speaking  agent  who  gets  a  screen  popup  about 
who  is  calling. 

This  streamlining  resulted  in  cutting  the  need 
for  transferring  calls  or  calling  customers  back 
in  162,500  cases  per  year,  Kiamil  said. 

The  system  also  boosts  productivity  for  inter¬ 
nal  workers.  For  instance, when  a  help  desk  call 
comes  in,  the  call  shows  who  is  calling  and 
their  history  of  help  desk  requests.  So  when 
help  desk  staff  answers  the  phone  they  already 
know  what  the  problem  is  and  if  it  requires  a 
visit  to  the  desktop.  The  system  also  shows  the 
presence  of  help  desk  techs  so  the  closest  one 
can  be  contacted  via  the  UC  system  and  dis¬ 
patched,  Kiamil  said. 


Similarly,  the  external  help  desk  can  tap 
into  presence  data  gathered  from  handhelds 
in  delivery  trucks  to  track  exactly  where  dri¬ 
vers  are  and  project  when  deliveries  will 
arrive,  he  said. 

Taking  UG  to  school 

Integrating  voice  into  the  Web  presence  at 
Concordia  University  in  Toronto  makes  it  sim¬ 
pler  for  students  to  find  out  about  courses, said 
Ravdeep  Sawhney  IP  telephone  analyst  for  the 
school.  All  university  applications  are  Web- 
enabled,  so  individuals  access  them  via  a  por¬ 
tal.  Every  class  has  its  own  Web  page  and  a 
click-to-talk  button  to  connect  students  to  the 
professor  if  they  have  questions  and  the  pro¬ 
fessor  is  available. 

Sawhney  has  big  plans  for  UC  including 
browser-based  phone  service,  a  click-to-talk 
directory  of  university  phones,  Wi-Fi  phones 
with  GPS  capabilities  and  presence  for  work- 
flow  automation.  As  handsets  become  less  ex¬ 
pensive,  he  will  switch  to  supporting  dual 
mode  Wi-Fi/cellular  phones. 

The  big  hurdle  users  see  that  vendors  need  to 
overcome  is  a  single  server  that  can  handle 
presence  information  from  other  vendors’ gear, 
said  John  Turner,  the  school’s  director  of  net¬ 
work  services  at  Brandeis  University 

Brandeis  uses  Cisco  IP  phone  gear  and 
presence  in  the  school’s  instant  messaging, 
but  can’t  extend  it  to  other  applications. 
Turner  is  considering  open  source  presence 
server  software  as  a  way  to  integrate  dis¬ 
parate  presence  elements  of  his  network  in- 
house,  but  that’s  not  ideal. 

Widely  adopted  standards  and  interoperabil¬ 
ity  certifications  are  needed,  Turner  says. 
“Hopefully  it  will  be  more  open  and  we’re  not 
tied  to  a  single  vendor’’ he  said.H 
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Novell  GEO  picking  his  battles 

Users  agree  with  company’s  plan  to  create  infrastructure  services 


Open  source  effort 

Novell  last  week  laid  out  a  plan  to  create  a  set  of  infrastructure  services 
around  its  operating  system,  middleware  and  management  tools.The  company 
is  leading  with  its  Linux  platform  and  open  source  projects  and  participation. 
Here  is  a  look  at  a  handful  of  projects  Novell  is  involved  with. 


Project 

Description 

Apache  HTTP 
Server 

Develops  and  maintains  an  open  source  HTTP  server. 

Aperi 

Storage  code  and  framework  that  Novell  will  use  to  enable  storage 
management  at  the  operating-system  level. 

Bandit 

A  set  of  loosely  coupled  components  that  provide  consistent  identity 
services  around  the  user-centric  model. 

Blade.org 

Develops  next-generation  technologies  for  blade  computing. 

Heartbeat 

Part  of  the  Linux-HA  (high  availability)  project,  sends  heartbeat 
packets  across  the  network. 

ICEcore 

Novell-led  project  around  team  workspaces,  conferencing  and  Web 
2.0  technologies. 

JBoss  JEMS 

JBoss  Enterprise  Middleware  System  is  the  open  source  platform  for 
service-oriented  architecture. 

Mono 

Mono  can  run  existing  programs  targeting  the  .Net  or  Java  frameworks. 

Moonlight 

Implementation  for  Linux  platforms  of  Microsoft’s  Silverlight  browser 
plug-in  to  support  rich,  multimedia  applications. 

Open  SUSE 

Sponsored  by  Novell  to  promote  the  use  of  Linux. 

Open  WBEM 

Enterprise-grade  open  source  implementation  ofWeb-Based  Enterprise 
Management  technologies. 

Xen 

A  virtual-machine  monitor  for  x86  processors. 

BY  JOHN  FONTANA 

Novell  wants  to  shed  its  historical  compari¬ 
son  with  industry  titans  and  focus  on  develop¬ 
ing  its  core  technologies  into  a  set  of  infra¬ 
structure  services  it  says  will  define  its  success 
going  forward,  according  to  company  CEO 
Ron  Hovsepian. 

Novell, which  celebrated  its  25th  anniversary 
last  week,  lost  its  “industry  titan”  tag  more  than 
a  decade  ago,  but  its  strategies  continue  to  be 
compared  to  those  of  IBM  and  Microsoft. 
Hovsepian  says  he  won’t  back  down  from  a 
fight,  but  that  Novell  is  now  picking  its  battles 
—  and  its  friends  —  wisely  “We  are  past  that 
old  business  of  hanging  on,”  he  says.  “As  you 
look  at  the  [networking]  stack,  it  is  about 
knowing  what  your  role  is  at  each  layer  at 
macro  and  micro  levels.” 

The  Novell  chief,  known  for  a  friendly 
demeanor  that  hides  his  competitive  fire, says 
the  company  will  continue  to  battle 
Microsoft  and  similar  vendors  in  certain 
areas,  such  as  server  and  desktop  operating 
systems,  but  will  complement  those  vendors 
in  such  technology  areas  as  systems  manage¬ 
ment  and  applications. 

Evidence  for  the  latter  goal  is  last  week’s 
extension  of  a  partnership  with  SAP  that 
opens  to  Novell  the  huge  SAP  installed-base 
and  the  opportunity  to  supply  it  with  platform, 
virtualization  and  identity  support. 

Novell’s  strategy, called  Fossa  and  introduced 
last  week  at  its  annual  BrainShare  conference, 
calls  for  delivery  of  network  infrastructure  as  a 
set  of  services  that  can  be  interconnected, 
integrated  across  platforms  or  run  as  stand- 
alones.  The  modular  platform  isn’t  long  on 
new  technologies;  it  mostly  includes  enhance¬ 
ments,  acquisitions  and  infusions  of  standards 
to  its  Linux, virtualization,  orchestration,  policy 
identity  compliance,  management  and  collab¬ 
oration  tools. 

Hovsepian  says  he  set  the  ball  rolling  on 
Fossa  in  2006  when  he  aligned  Novell’s  core 
strengths  with  network  layers  and  began  figur¬ 
ing  out  where  Novell  would  compete  and 
where  it  would  partner. 

A  major  milestone  has  been  the  controver¬ 
sial  interoperability  and  cross-patent  licensing 
deal  Novell  signed  with  Microsoft  in 
November  2006.  The  latest  evidence  of  the 
plan  is  the  acquisitions  of  collaboration  ven¬ 
dor  SiteScape  and  virtualization  management 
player  PlateSpin. 

Hints  of  success  also  were  evident  in 
Novell’s  2008  fiscal  first-quarter  earnings, 
which  showed  a  65%  revenue  increase  in  its 
open  platform  division  that  includes  SUSE 
Linux  desktop  and  server.  In  addition,  net 
income  hit  $16.8  million,  a  significant  turn¬ 
around  from  the  $19.5  million  loss  Novell 


posted  in  the  same  quarter  a  year  ago. 

“[Fossa]  is  not  a  far-flung  dream,”  Hov¬ 
sepian  says.“lt  is  a  lot  of  reality;  it  is  our  core 
competencies.  We  are  just  tying  them 
together.  We  have  to  look  at  the  market  seg¬ 
ments,  and  we  have  to  attach  ourselves  to 
those  markets." 

Hovsepian  may  be  on  to  something,  because 
Fossa,  which  Novell  admits  is  in  the  vision 
stage  and  might  not  bloom  fully  until  2012,  is 
nonetheless  getting  a  warm  reception  from 
the  company’s  users. 

Those  users  see  Novell  regaining  its  balance 
and  heading  in  the  right  direction,  albeit  with 
a  few  course  corrections  needed  in  the  short 
term,  such  as  fostering  the  education  of  more 
certified  Linux  engineers. 

“We  are  interested  in  Fossa  not  because  of 
the  open  source,  but  because  of  the  concept 
that  the  whole  environment  should  be  dy¬ 
namic  and  intelligent  enough  to  handle  user 
needs,  and  to  see  it  all  integrated  in  a  way  that 
includes  compliance  and  security’ says  Pepijn 
Visser,  program  manager  for  corporate  opera¬ 


tions  and  information  services  at  ING  Group. 
Visser  is  using  Novell’s  Identity  Manager  to 
help  synchronize  120,000  user  identities 
spread  across  disparate  systems. 

“Novell’s  consistent  strategy  means  a  lot  to 
me  from  an  open  source  perspective,”  says 
Mark  Shackelford,  vice  president  of  informa¬ 
tion  services  for  Baldor  Electric,  a  manufac¬ 
turer  of  industrial  electric  motors,  power  trans¬ 
mission  products,  drives  and  generators. 

Hovsepian  says  Novell  is  first  a  network 
infrastructure  company  and  will  use  Linux  to 
keep  customers  and  attract  new  ones.  Its 
next  step  will  be  to  supply  those  users  with 
technologies,  such  as  virtualization,  identity 
and  policy  enforcement,  to  build  out  their 
platforms  or  to  ensure  interoperability  with 
their  existing  infrastructure. 

Hovsepian  says  Novell’s  platform  will  be  the 
foundation  developers  use  to  run  their  Web 
2.0  technologies. 

He  says  his  infrastructure  “stack”  includes 
operating  systems,  database,  systems  manage 

See  Novell,  page  46 
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SAVE  THE  DATE!  Mark  your  calendar  to  attend: 


fin  READY  ran  t  WHOLE  HEW 

IT  ROADMAP  IN  ’08! 


The  IT  Roadmap  provided  me  with 
a  huge  amount  of  insight  into 
upcoming  trends  in  the  technology 
industry.  It  also  provided  a  great 
forum  for  me  to  ask  questions  and 
to  receive  direction  on  the  latest 
and  greatest  tools  to  perform 
crucial  IT  functions,  It  was  a  day 
well  spent. 

CHRIS  RAPP 

ASST.  VP /DIRECTOR  OF  TECHNOLOGY 
SOVEREIGN  BANK 

Excellent  Conference  and  Expo!!! 
Five  Stars  out  of  five.  The 

information  I  collected  in  one  day 
was  ''Priceless"  and  will  keep  me 
busy  for  months. 

FREDERICK  N.  SPINGOIA 

CIO  &  VP  TECHNOLOGY 

THE  8ENEFIT  SERVICES  GROUP,  INC. 


IT  Roadmap  Conference  &  Expo’s  will  hit  the  road  in  2008  with  a  nationwide  tour 
including  new  cities,  new  topics,  new  speakers  and  new  sponsors!  That’s  right. 
You’ll  have  a  chance  to  attend  one  of  the  seven  events  we’ll  be  offering  next  year. 


You  won’t  want  to  miss  out  on  9  tracks  of  crucial  network  technology: 


>  VIRTUALIZATION 

>  ENTERPRISE  MOBILITY 

>  NETWORK  MANAGEMENT 

>  NETWORK  AND  APPLICATION  ACCELERATION 

>  NAC 


>  DATA  CENTER  INFRASTRUCTURE 
AND  MANAGEMENT 

>  SECURITY  AND  COMPLIANCE 

>  VOIP,  COLLABORATION  AND  UNIFIED 
COMMUNICATIONS 

>  WAN  SERVICES 


Complete  with  case  histories  from  front-line  users.  Data  from  industry  researchers. 
Insights  from  IT  specialists.  And  embedded  within. ..a  tightly-focused,  solution- 
oriented  expo  of  top  vendors. 


We  look  forward  to  seeing  you  in  2008! 


INTERESTED  IN  ATTENDING?  INTERESTED  IN  SPONSORING? 

www.networkworld.com/itr2008 


NETW0RKW0RLD 

ms  Conference  &  Expo 


Available  on  select  models.  IBM,  the  IBM  logo,  Tivoli  and  Take  Back  Control  are  trademarks  or  registered  trademarks  of  International 
Business  Machines  Corporation  in  the  United  States  and/or  other  countries.  ©2008  IBM  Corporation.  All  rights  reserved. 


.INFRASTRUCTURE  LOG 


_DAY  85:  Woke  up  in  a  desert.  Our  data  center  is  overheating 
so  badly  it’s  playing  tricks  on  our  minds.  We  have  to  do 
something  about  these  energy  costs.  But  how?  Our  processing 
needs  keep  growing. 


.Maybe  that  sphinx  over  there  has  an  answer. 

.DAY  86:  I’m  taking  back  control  with  IBM.  Their  services 
can  help  us  diagnose  inefficiencies  and  build  a  more 
energy-efficient  data  center.  A  virtualized  IT  environment 
can  improve  our  server  and  storage  utilization  while  their 
power  management  capabilities  help  us  actively  manage  our 
power  usage.1  And  thanks  to  IBM’s  advanced  cooling  solutions, 
our  data  center  is  cucumber  cool. 

.Good  thing.  My  wrinkle-free  shirts  really  aren’t  very  breathable. 


Tivoli. 


Watch  a  Webcast  on  data  center  energy  efficiency  at: 

IBM.COM/TAKEBACKCONTROL/ENERGY 


TECH  UPDATE 

An  inside  look  at  technologies  and  standards 

Unlock  the  value  of  logs 

BY  CHRIS  PETERSEN 

Log  and  security-event  management  is  now  a  requirement  for  organi¬ 
zations  that  have  to  monitor  security  and  IT-policy  enforcement  and 
document  compliance.  Current  approaches,  however,  force  users  to 
purchase  and  integrate  two  or  more  products  for  each  discipline.  For  enter¬ 
prises  with  large  data  centers,  distributed  operations  or  branch  offices,  this 
method  is  complex,  costly  and  difficult  to  deploy  and  manage. 


In  a  typical  organization,  millions  of  logs  are 
generated  by  every  system,  application  and 
device  on  the  network  every  day.  According  to 
the  SANS  Institute,  logs  represent  as  much  as 
25%  of  all  the  data  a  typical  enterprise  creates. 

Most  logs  are  not  important  or  meaningful, 
but  a  small  percentage  are  extremely  valuable. 
They  contain  insights  and  warnings  about  the 
health  of  the  network,  security  issues,  compli¬ 
ance  violations  and  operational  problems. 

To  unlock  the  value  of  logs,  a  new  class  of 
appliance  has  emerged  that  combines  univer¬ 
sal  log-data  collection,  analysis,  event  manage¬ 
ment,  automated  report  distribution  and  inci¬ 
dent  response.  They  employ  a  building-block 
approach  that  allows  organizations  to  start  with 
a  single  appliance,  then  add  more  devices  as 
the  number  of  log  sources  and  volumes  grow. 

These  new  log-  and  event-management 
appliances  perform  the  following  functions: 

•  Log  collection.  Log  sources  can  include 
servers,  applications,  databases  —  anything 
connected  to  the  network.  Logs  can  be  deliv¬ 
ered  to  the  appliance  via  standard  network¬ 
logging  protocols.  They  can  be  pulled  from 
Windows  hosts  (event  logs)  or  databases  com¬ 
pliant  with  Open  Database  Connectivity  Logs 
also  can  be  collected  by  agents  from  remote 
sites  and  flat-file  sources  and  forwarded  to  the 
appliance. 

•  Log  management.  Because  log  formats  are 
as  varied  as  their  sources,  once  logs  are  col¬ 
lected,  they  must  be  normalized.  Log  normal¬ 
ization  includes  classifying  logs  so  they  can  be 
correlated,  stored,  reported  on  and  managed. 
Normalization  is  a  key  step  in  transforming 
logs  from  raw  data  to  valuable  information. 
During  the  normalization  process,  the  appli¬ 
ance  also  automatically  synchronizes  the  time 
stamps  of  all  log  entries. 

•  Archival  and  restoration.  Many  organiza¬ 
tions  must  retain  log  data  to  meet  regulatory 
requirements.  Integrated  log-  and  event-man¬ 
agement  appliances  automate  the  process  of 
archiving  and  restoring  log  data.  Based  on  poli¬ 
cy  settings,  the  appliance  automatically 
archives  log  data  and  generates  bookkeeping 
information,  such  as  where  and  when  the  log 
data  originated.  Archive  files  are  cryptography- 
signed  and  compressed,  providing  tamper¬ 


proof,  cost-effective  long-term  storage.  They  can 
be  restored  via  intuitive,  wizard-based  tools  that 
verify  the  archive  files  have  not  been  modified. 

•  Log  analysis.  Once  collected  and  normal¬ 
ized,  logs  should  be  assigned  a  common  name 
and  classified  under  the  appropriate  category, 
such  as  security  operations,  or  audit  and  com¬ 
pliance.  Logs  having  the  most  immediate  oper¬ 
ational  relevance  should  be  appropriately  des¬ 
ignated. The  latter  typically  are  pf  critical  secu¬ 
rity  events,  audit  failures,  warnings  and  errors. 
Most  systems  include  predefined  events  that 
can  be  customized,  or  allow  new  events  to  be 
created  to  meet  unique  requirements. 

•  Event  management.  The  importance  of  an 
event  varies  by  organization  and  by  log  source 
or  the  system  in  question  (that  is,  the  value  of 
the  asset).  For  instance,  a  system  reboot  is 
unimportant  on  a  user  workstation,  but  when  it 
occurs  on  an  ERP  server  with  a  99.999% 
uptime  requirement,  it’s  critical. The  appliance 
should  support  risk-based  prioritization.  One 


way  to  do  that  is  to  assign  a  priority  from  1  to 
100  based  on  type  of  event;  likelihood  the 
event  is  a  false  alarm;  threat  rating  of  the  host 
causing  the  event  (for  example,  a  remote 
attacker);  and  risk-rating  of  the  application, sys¬ 
tem  or  device  on  which  the  event  occurred. 

Risk-based  prioritization  helps  make  sure  the 
most  important  events  are  identified  and  for¬ 
warded  to  the  appropriate  individuals  for  rapid 
response.  It  should  be  possible  to  send  alerts  via 
e-mail,  Short  Message  Service,  page,  SNMP  and 
so  forth.  A  customizable  Personal  Dashboard 
interface  usually  is  available  to  allow  users  to 
assess  problems  quickly  and  drill  down  to  indi¬ 
vidual  log  or  event  data  for  root-cause  analysis. 

•  Flexible  reporting.  Log-  and  event-manage¬ 
ment  appliances  also  should  offer  robust 
reporting  capabilities,  including  prebuilt  reports 
for  specific  regulatory  requirements  (such  as 
the  Sarbanes-Oxley  Act  and  the  Payment  Card 
Industry  Data  Security  Standard), as  well  as  cus¬ 
tomizable  reports  that  can  be  tailored  to  meet 
specific  analysis  and  reporting  needs. 

This  new  breed  of  all-in-one  log-  and  event- 
management  appliances  is  a  compelling 
choice  for  organizations  looking  to  automate 
security  information  management,  cut  regula¬ 
tory-compliance  auditing  and  reporting  costs, 
and  proactively  control  operations  for  better 
service  levels. 

Petersen  is  CTO  of  LogRhythm.  Hed  can  be 
rfeacned  at  chris.peterson@logrhythm.com. 


How  it  works 

A  log  and  event  management  appliance  should  be  able  to  collect  from  multiple 
sources,  normalize,  time  stamp  and  analyze  the  results,  generate  alerts  and 
reports  for  audit  and  regulatory  compliance,  and  support  data  mining  for  forensic 
and  root-cause  investigations. 
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Working  with  NSIS’  screensaver  installer 

i 


Mark  Gibbs 


n  last  week’s  discussion  about  developing  a 
screensaver  installer,  I  left  off  at  the  point 
where  I  used  the  freeware  Mihov  NSIS 
Helper  to  create  a  simple,  prototype  installer 
script  that’s  designed  to  be  turned  into  a 
GEARHEAD  Windows  installer  application  by  Nullsoft’s  out¬ 
standing  free,  open  source  Nullsoft  Scriptable 
Install  System  (NSIS). 

But  a  Windows  screensaver  essentially  is  sys¬ 
tem  software, however, so  more  work  was  needed.  For  a  start,  the  screen¬ 
saver  installer  has  to  put  the  .scr  file  in  the  Windows  system  subdirec¬ 
tory  (by  default  named  system32),  which  is  usually  under  the  Windows 
subdirectory  (by  default, c:\Windows). Of  course,  this  isn’t  a  certainty, so 
you  really  need  to  use  what  the  system  tells  you  is  the  actual  directory 
This  means  that  in  the  NSIS  script,  you  have  to  specify  the  installation 
directory  accordingly:  InstallDir“$SYSDIR”. 

NSIS  also  has  a  number  of  other  predefined  constants,  such  as  $SYS 
DIR,  SPR0GRAMF1LES,  $DESKTOP$STARTMENU,  and  SQUICKLAUNCH; 
these  simplify  scripting  considerably 
Now,  to  install  a  screensaver  it  is  not  enough  to  copy  the  .scr  file  to  the 
system  directory  Actually  it  is  enough  if  the  user  is  willing  to  run  the 
Windows  control-panel  display  applet,  and  on  the  screensaver  tab 
select  the  newly  installed  screensaver.  I  wanted  to  be  a  little  more  pol¬ 
ished  than  that,  however,  so  it  was  time  to  do  that  most  dangerous  of  sys¬ 
tem  changes:  modify  the  registry  I  write  “most  dangerous”  with  tongue 
firmly  in  cheek.  Given  the  number  of  ways  you  can  easily  damage  or 
destroy  a  Windows  system,  modifying  the  registry  isn’t  really  that  per¬ 
ilous,  but  Microsoft  has  always  been  a  little  obsessive  on  the  topic. 

The  registry  keys  for  screensavers  for  the  current  user  can  be  found  in 
the  HKEY_CURRENT_USER  (alias  HKCU)  hive,  Microsoft’s  rather  odd 


name  for  the  major  logical  sections  of  the  registry 

The  first  key  we  need  to  change  is  Control  Panel\Desktop\ 
Scrnsave.exe,  and  we  need  to  set  it  to  the  file  name  of  the  screensaver 
we  just  copied  into  the  system  directory.  If  you  are  in  the  habit  of 
browsing  the  registry, you’ll  notice  that  the  entire  path  often  is  includ¬ 
ed  in  this  key,  but  Microsoft  notes  that  if  you  are  in  fact  using  the  sys¬ 
tem  directory,  the  path  is  assumed. 

Next  you  need  to  set  the  key  Control  Panel\Desktop\Screen 
SaveActive  to“l,”  which, as  you  might  guess, ensures  that  the  screensaver 
is  active.  And  that’s  it. 

The  last  thing  I  did  was  tweak  the  graphics  that  are  used  by  the 
installer’s  user  interface.  Under  the  NSIS  installation  directory  you’ll  find 
the  graphics  in  Contrib\Graphics\ Wizard.  If  you  are  using  the  default 
NSIS  setup,  editing  the  win. bmp  file  changes  the  left-side  graphic  on  the 
installer  welcome  page.  I  leave  it  as  an  exercise  for  the  reader  to  find  the 
other  graphics. 

That’s  it.  If  you  want  the  installer  script  and  the  screensaver,  send  an 
empty  message  with  the  subject  “NSIS  demo”  to 
gearhead@gibbs.  com. 

My  final  thoughts  this  week  are  on  VNC,  an  excellent,  free,  open 
source,  remote-control  application.  I  just  found  a  version  of  the  VNC 
client  for  OS  X!  It  is  called  —  and  I  love  this  —  “Chicken  of  the  VNC.” 
COTVNC  is  a  SourceForge  project;  despite  its  last  release  being  in 
January  2006,  it  works  great!  That  said,  be  warned:  There  are  a  few  out¬ 
standing  issues  with  COTVNC. 

So,  next  week  we  resume  our  look  at  Parallels  Virtuozzo  Containers  4.0, 
and  try  to  remember  what  started  us  on  that  product  in  the  first  place. 

Gibbs  keeps  muttering  “so  much  technology,  so  little  time" in  Ventura, 
Calif.  Sympathize  with  gearhead@gibbs.com. 


S£W¥S@JE 


Huzzah!  Stuff  works! 
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Last  week  I  wrote  about  the  mini-disasters 
that  struck  while  1  was  testing  four  prod¬ 
ucts.  Here’s  an  update: 

Dymo  DiscPainten  Luckily,  the  only  problem  I 
had  was  a  bad  ink  cartridge,  which  wasn’t 
printing  the  color  blue.With  a  new  cartridge  in, 
COOL  g  I  was  able  to  produce  a  very  nice-looking 

design. The  $280  printer  lets  you  produce  profes¬ 
sional-looking  CDs  and  DVDs  with  a  technology 
called  RadialPrint,  which  lays  the  ink  down  on  the  disc  as  it  spins.  It’s 
fun  to  watch  and  produces  a  high-quality  disc  cover,  which  beats  label¬ 
ing  your  CDs  or  DVDs  with  a  Magic  Marker.  Because  of  the  problem 
with  the  ink  cartridge,  its  final  grade  is  ★★★★  (out  of  five). 

Digital  Spectrum  Photo  Frame:  The  prob¬ 
lem  I  faced  with  this  was  that  the  frame  did¬ 
n’t  connect  to  my  Wi-Fi  Protected  Access 
(WPA)  2-enabled  wireless  network,  even 
though  the  vendor  said  it  supported  the  net¬ 
work.  After  discussing  the  problem,  the  ven¬ 
dor  said  a  firmware  update  for  the  frame  (not 
the  router,  which  made  me  happy)  would  fix 
it.The  update  did,  and  I  was  able  to  connect. 

With  the  frame  connected  to  the  net¬ 
work,  I  could  try  the  free,  Web- 
based  FrameChannel  service, 
which  lets  you  create  a  personal¬ 
ized  content  stream  of  your  pho¬ 
tos,  friends’  photos  and  other 
content  feeds,  including  weath¬ 
er,  news  and  entertainment 
channels.  After  creating  an 


account,  you  can  choose  rules  for  each  channel,  and  the  service  will 
create  a  personalized  RSS  feed  that  streams  down  to  your  photo  frame. 
If  you  don’t  own  a  supported  frame,  you  still  can  use  the  service  and 
create  a  personalized  RSS  feed  that  you  can  view  through  a  feed  read¬ 
er,  or  use  a  Yahoo  or  Google  desktop  widget  to  view  the  streams.  Photos 
can  be  sent  to  the  service  through  the  Web,  e-mail  or  even  camera 
phones  (you  get  a  custom  e-mail  address). You  can  even  subscribe  to 
other  photo  feeds  (such  as  Flickr  and  Picasa)  if  you  already  have  those 
stored  somewhere.  Final  grades:  Photo  Frame,  ★★★★;  FrameChannel, 
★★★★★ 

ComOne  Phoenix  Internet  Radio:  Like  the  Photo  Frame,  this  device 
wouldn’t  connect  to  my  WPA2-protected  home  network.  Unlike  the 
Photo  Frame,  a  firmware  update  didn’t  solve  the  problem.  1  disabled 
the  secure  network  and  was  able  to  connect  the  device  to 
the  Internet.  A  software  update  was  downloaded,  but  WPA2 
support  is  not  part  of  the  update.  I  tested  the  device  on  the 
unprotected  network,  but  without  WPA2  support  I  can’t  rec¬ 
ommend  the  device  fully 

Features  include  being  able  to  listen  to  several  Internet 
radio  stations;  podcast  streams  through  the  com¬ 
pany’s  Web  portal  (the  site  underwent  a 
revamp  last  week,  another  strike 
against  it);  audio  books;  background 
music;  and  even  your  own  music 
(through  a  connected  network  media 
server  or  attached  USB  memory  stick). 
Final  grade:  incomplete,  check  back 
Spin  art!  jn  sjx  months. 

Dymo’s 

DiscPainter  Shaw  can  be  reached  at  kshaw@ 
nww.com. 
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Processor  wars  heat  up 

AMD  finally  releases  Barcelona  quad-core;  Intel  goes  for  six 


BY  JON  BRODKIN 

After  months  of  delays,  Advanced  Micro 
Devices’  quad-core  Barcelona  chip  will 
become  generally  available  in  April,  but  a 
newly  announced  six-core  processor  devel¬ 
oped  by  rival  Intel  will  force  AMD  to  play 
catchup  once  again. 

Intel  last  week  said  a  six-core  processor 
code-named  Dunnington  will  be  available  in 
the  second  half  of  this  year.  AMD  will  ship 
Barcelona  to  partners  later  this  month,  making 
it  broadly  available  from  resellers  sometime  in 
April,  according  to  Kevin  Knox,  AMD’s  vice 
president  of  commercial  business.“Barcelona 
is  a  step  up,  but  it’s  really  too  late,”  says 
Gartner  analyst  Martin  Reynolds.“They  need¬ 
ed  Barcelona  in  the  second  half  of  last  year.” 

Barcelona,  the  code  name  for  AMD’s  newest 
Opteron  processor,  is  in  limited  availability  and 
being  used  mostly  in  such  high-performance 
.computing  facilities  as  the  Texas  Advanced 
Computing  Center  and  the  Holland  Com¬ 
puting  Center  at  the  University  of  Nebraska. 
AMD  initially  planned  general  availability  for 
the  end  of  2007,  but  held  back  after  discover¬ 
ing  a  problem  at  high-stress  workloads.  “We 
went  ahead  and  fixed  it  in  the  silicon,”  Knox 
says.  “Systems  would  hang  for  certain  things, 
virtualization  wasn’t  performing  properly.  It 


BY  JON  BRODKIN 

Microsoft  and  Intel  are  giving  a  $20  million 
boost  to  parallel  computing  researchers  who 
are  developing  better  ways  of  writing  applica¬ 
tions  that  can  take  advantage  of  multicore 
processors. 

The  $20  million  will  be  distributed  over  five 
years  to  the  University  of  California,  Berkeley 
and  the  University  of  Illinois  at  Urbana- 
Champaign  (UIUC).  Another  $15  million  is 
expected  to  come  from  a  California  state-grant 
program  and  UIUC. 

Dual-  and  quad-core  processors  are  becom¬ 
ing  increasingly  common,  and  the  number  of 
cores  in  each  processor  will  only  grow  in  com¬ 
ing  years.  Intel  already  is  developing  an  80-core 
processor. 

Software  designed  for  single-core  proces¬ 
sors,  however,  can’t  take  full  advantage  of 
multicore  computing,  which  can  execute 
multiple  threads  and  processes  simultane¬ 
ously;  many  programmers  find  it  difficult  to 
write  applications  suited  for  the  multicore 
world. The  goal  of  this  initiative,  announced 


Intel's  six-core  Dunnington  processor 
will  be  available  in  the  second  half  of 
this  year. 


wasn’t  data  corruption.” 

Intel  has  had  quad-core  Xeon  processors  on 
the  market  since  early  2007,  and  in  September 
unveiled  the  Xeon  7300  quad-core  chips, 
which  are  designed  for  high-end  servers  with 
four  or  more  processors. 

Even  with  Barcelona  hitting  general  avail¬ 
ability  AMD’s  performance  lags  behind  Intel’s 
in  processor  speed  and  bandwidth  utilization 
rates,  Reynolds  says. “It’s  going  to  be  Intel  win¬ 
ning  the  performance  battle  for  the  next  year 
and  a  half,”  he  says.  “But  you  can  never  count 


this  week,  is  eventually  to  make  “parallel 
programming  .  .  .  synonymous  with  pro¬ 
gramming.” 

“There  have  been  no  major  efforts  on  how  to 
make  parallel  programming  easier  for  the 
average  programmer^’  says  Marc  Snir,  a  profes¬ 
sor  of  computer  science  and  electrical  and 
computer  engineering  at  UIUC.  Laptop  com¬ 
puters  and  PDAs,  in  particular,  have  been 
unable  to  leverage  all  the  benefits  of  parallel 
computing,  he  says. 

Snir  and  his  colleagues  aim  to  develop  new 
programming  languages  and  other  technolo¬ 
gies  to  help  programmers  take  advantage  of 
multicore  processing.  They  also  are  develop¬ 
ing  new  ideas  for  how  vendors  like  Intel  and 
Advanced  Micro  Devices  can  design  multi¬ 
core  processing  to  make  programming  eas¬ 
ier,  he  says. 

Microsoft  and  Intel  said  their  $20  million 
combined  investment  will  create  two 
“Universal  Parallel  Computing  Research 
centers”  at  the  California  and  Illinois  univer¬ 
sities.  ■ 


out  AMD,  and  we’ll  see  what  they  deliver  in 
2009.” 

Knox  says  AMD’s  newest  chip  will  deliver  bet¬ 
ter  performance  than  Intel’s  and  new  instruc¬ 
tions  at  the  chip  level  will  let  virtualized  work¬ 
loads  operate  more  efficiently  on  the  proces¬ 
sor.  Customers  will  see  a  sizable  improvement 
in  price  performance  per  watt,  he  says. 

“We’ve  gone  from  dual-  to  quad-core  while 
maintaining  the  same  thermal  envelope,”  Knox 
says.This  is  more  than  just  quad-core.  It  is  a  sig¬ 
nificant  rearchitecture  of  Opteron,  the  most  sig¬ 
nificant  since  we’ve  introduced  it.” 

HP  will  be  among  the  first  resellers  to  take 
advantage  of  Barcelona.  The  vendor 
announced  on  Monday  that  its  eight-socket 
x86  server  using  the  quad-core  AMD  proces¬ 
sors  will  be  available  in  May 

Dell,  Sun,  and  IBM  are  among  the  other 
vendors  preparing  servers  based  on  the  new 
quad-core  processors,  Knox  says.“You’ll  see  a 
fair  number  of  systems  on  the  market  in 
April,”  he  says. 

Being  late  to  the  quad-core  market  poses 
challenges,  but  Knox  says  he’s  confident. 
“There’s  always  the  challenge  that  [Intel’s]  the 
incumbent  in  the  four-way  market,”  he  says.“We 
think  in  some  ways  it’s  a  good  thing,  in  some 
ways  it’s  a  bad  thing.  They’ve  certainly  raised 
awareness  of  quad-core.” 

Intel’s  next  move  is  to  raise  awareness  of  six- 
core.  While  an  eight-core  server  might  have 
seemed  like  the  next  logical  step,  Reynolds 
notes  that  there’s  no  technical  reason  to  dou¬ 
ble  the  number  of  cores  every  time.  Intel  said 
its  Dunnington  processor  will  support 
FlexMigration  virtualization  technology  which 
creates  a  pool  of  virtualized  resources  that  can 
be  moved  across  many  types  of  Intel  servers. 

Intel  also  discussed  several  other  multicore 
projects  in  the  works,  including  a  new  Itanium 
processor  code-named  “Tukwila,”  a  quad-core 
chip  for  high-performance  computing. Tukwila 
“is  the  world’s  first  two-billion-transistor  micro¬ 
processor  and  is  projected  to  deliver  more 
than  double  the  performance  of  the  current 
generation  Itanium  processor;”  Intel  states  in  a 
fact  sheet  released  Monday 

Another  future  processor  discussed  by  Intel 
is  Nehalem,  which  would  have  two  to  eight 
cores  and  four  times  as  much  memory  band¬ 
width  as  today’s  highest-performing  Xeon  sys¬ 
tems.  The  Nehalem  processor  architecture 
eventually  will  be  used  in  everything  from 
notebook  computers  to  high-performance 
servers,  the  company  says. 

Intel  also  said  it’s  investing  in  technologies 
that  will  accommodate  next-generation 
game  systems  with  better  graphics  and 
game  controllers  that  respond  to  human 
motion.  ■ 


Microsoft,  Intel  pour  $20  million 
into  parallel  computing  research 
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Carriers  moving  on  open  access 


BY  BRAD  REED 

When  telecommunications  historians  look 
back  on  the  events  of  2007,  they  may  well  see 
them  as  the  carriers’  last  stand  against  opening 
up  their  networks. 

After  all,  it  was  just  six  months  ago  that 
Verizon  unsuccessfully  sued  the  FCC  in  an 
attempt  to  overturn  the  open-access  rules  it 
had  placed  on  a  portion  of  the  700MHz  spec¬ 
trum  auction.  Fast  forward  to  today  and  Verizon 
has  won  the  very  auction  it  tried  to  thwart. 

Verizon’s  shift  on  the  700MHz  auction  isn’t 
the  only  step  it’s  taken  toward  opening  up  its 
network  further.  This  week,  the  carrier  released 
technical  specifications  that  third-party  devel¬ 
opers  need  to  meet  to  connect 
their  devices  to  its  open-access 
network.  The  specifications  were 
released  as  part  of  Verizon’s  Open 
Development  Initiative,  which  the 
company  has  launched  to  entice 
more  device  manufacturers  and 
mobile  application  developers  to 
create  products  to  connect  to 
Verizon’s  open-access  network. 

Last  year,  the  company 
announced  it  would  give  its  cus¬ 
tomers  an  open-access  service 
option  that  would  let  them  con¬ 
nect  to  the  Verizon  network  using 
third-party  devices. 

Verizon  Wireless  CTO  Tony 
Melone  said  last  week  that  while 
the  company’s  first  priority  in 
approving  third-party  devices  is 
to  protect  its  network  and  its  cus¬ 
tomers,  its  specifications  for  these  devices  are 
based  on  industry  standards  and  aren’t  any 
more  rigorous  than  the  specifications  Verizon 
uses  to  approve  its  own  devices.  Melone  also 
said  Verizon  Wireless  would  be  active  in  pro¬ 
viding  technical  advice  and  support  to  devel¬ 
opers  who  have  difficulty  meeting  the  network 
specifications,  because  “we  can’t  put  ourselves 
in  a  framework  where  all  we  do  is  stamp  ‘pass’ 
or ‘fail’”  on  new  devices. 

Others  following  suit 

Verizon’s  move  toward  an  open-access 
option  comes  at  a  time  when  American  carri¬ 
ers  have  warmed  to  letting  third-party  devices 
and  applications  connect  to  their  networks. 
Last  year,T-Mobile  and  Sprint  Nextel  joined  the 
Open  Handset  Alliance  (OHA),a  multination¬ 
al  group  with  more  than  30  members  dedicat¬ 
ed  to  promoting  Google’s  Android  open- 
access  mobile-platform  initiative.  The  idea 
behind  the  platform,  according  to  the  OHA,  is 
to  spur  innovation  in  mobile  applications  that 
will  give  users  the  same  experience  surfing  the 
Web  on  their  phone  as  they  have  on  their 
desktop  computers.  In  addition,  although 
AT&T  has  yet  to  open  up  its  network  in  the 


same  way  Verizon  has,  it  soon  will  support  a 
host  of  new  third-party  mobile  applications, 
because  of  Apple’s  recently  released  iPhone 
software  development  kit. 

The  carriers’  moves  toward  openness  are  a 
big  victory  for  Google,  which  has  taken  several 
measures  to  push  for  more-open  wireless  net¬ 
works.  Google  made  no  secret  of  its  desire  to 
use  Android  as  a  carrot  to  entice  more  carriers 
into  allowing  third-party  devices  on  their  net¬ 
works,  for  instance,  and  the  company  was  one 
of  the  chief  lobbyists  behind  the  effort  to  get 
the  FCC  to  place  open-access  rules  on  the 
700MHz  spectrum  auction. 

Mike  Jude,  a  senior  analyst  at  Nemertes 
Research,  told  Network  World 
last  year  that  the  FCC’s  decision 
to  promote  open  access  in  a  por¬ 
tion  of  the  700MHz  auction  and 
the  open  Android  platform  were 
two  key  factors  in  Verizon’s 
change  in  attitude  about  open 
access,  because  it  didn’t  want  its 
competitors  to  gain  a  market  ad¬ 
vantage  by  offering  more  dy¬ 
namic  service  packages.  Jude 
also  thinks  Verizon’s  decision  to 
open  up  was  a  clever  way  to 
head  off  any  future  FCC  action  to 
impose  network  neutrality  — 
providing  the  commission  with 
its  own  model  of  an  open-access 
network  that  is  more  favorable  to 
its  interests.  Gartner  analyst  Tole 
Hart  shares  Jude’s  view  that 
open-access  moves  by  competi¬ 
tors  have  placed  pressure  on  the  big  carriers 
to  open  up,  and  thinks  that  there  are  still  more 
open-access  dominoes  yet  to  fall. 

“It’s  a  herd  mentality’  Hart  said  last  year. “And 
the  bottom  line  is,  consumers  want  choice.” 

More  carriers  embracing  P2P  technology 

While  some  carriers’  adoption  of  Android, 
and  others’  acceptance  of  open-access  rules 
in  the  700MHz  auction  indicate  they  are  loos¬ 
ening  controls  on  which  devices  can  connect 
to  their  network,  recent  moves  by  AT&T  and 
Verizon  suggest  that  more  carriers  are  rethink¬ 
ing  their  stance  toward  a  traditional  ISP  neme¬ 
sis:  peer-to-peer  technology. 

Last  week,  Verizon  announced  it  had  suc¬ 
cessfully  tested  a  P2P  file-transfer  system  that 
could  eliminate  many  of  the  headaches  that 
P2P  systems  have  caused  ISPs  in  the  past.  The 
experimental  software,  which  Verizon  helped 
test  in  conjunction  with  researchers  at  Yale 
University  and  P2P  software  developer  Pando 
Networks,  lets  a  network  select  sources  that 
will  optimize  the  delivery  route  of  large  files, 
thus  making  P2P  transfers  faster  and  less 
expensive,  according  to  Verizon  senior  tech¬ 
nologist  Douglas  Pasko.  AT&T  also  has  been 


conducting  field  tests  of  the  P2P  technology 
over  its  network  with  researchers  from  Yale 
and  the  University  of  Washington. 

The  P2P  field  test  was  conducted  through 
the  P4P  Working  Group,  an  industry  organiza¬ 
tion  sponsored  by  the  Distributed  Computing 
Industry  Association,  whose  mission  is  to  bring 
ISPs,  P2P  software  distributors  and  technology 
researchers  together  to  create  a  set  of  prac¬ 
tices  designed  to  optimize  P2P  content  distri¬ 
bution.  In  addition  to  Verizon,  AT&T  and  Pando 
Networks,  the  P4P  group  includes  such  major 
players  as  BitTorrent  and  Cisco. 

Historical  issues 

ISPs  have  been  wary  of  programs  that  dis¬ 
tribute  large  data  files  by  breaking  them  up 
into  small  pieces  and  sending  them  through 
multiple  sources,  then  reassembling  them 
after  all  the  data  is  received.  P2P  protocols 
have  posed  traffic-management  challenges  to 
ISPs,  because  they  are  designed  mainly  to 
download  large  chunks  of  data  from  sources 
wherever  they  can  be  found  and  without  par¬ 
ticular  regard  to  network  efficiency 

This  has  led  to  some  ISPs  struggling  to  find 
ways  to  manage  P2P  traffic  that  don’t  degrade 
the  user  experience  or  upset  customers. 
Comcast,  for  instance,  sparked  a  controversy 
last  year  after  the  Associated  Press  reported 
the  company  was  interfering  actively  with 
some  of  its  customers’  ability  to  share  files 
online.  Comcast’s  critics  were  skeptical  of  its 
defense  of  its  traffic  management  policies, and 
the  company  weathered  further  criticism  of  its 
practices  at  an  FCC  panel  on  broadband  net¬ 
work  management  last  month. 

Researcher  Haiyong  Xie,  a  Yale  Ph.D.  candi¬ 
date  who  proposed  the  P2P  technology  with 
Yale  associate  professor  Yang  Richard  Yang  in 
2006,  says  that  Verizon’s  and  AT&T’s  collabora¬ 
tion  with  P2P  developers  is  a  reflection  of  the 
strength  of  their  networks  and  the  fact  that  P2P 
technology  has  become  such  a  driver  in  the 
growth  of  bandwidth  demand.  As  the  technol¬ 
ogy  evolves  and  as  more  ISPs  build  out  their 
capacity,  more  of  them  will  adopt  P2P  as  the 
most  efficient  way  for  customers  to  transfer 
large  files  over  their  networks. 

“Some  ISPs,  because  of  their  infrastructure 
being  different,  are  not  ready  to  support  this 
type  of  P2P  technology?’  Xie  says.  “For  a 
Comcast,  or  other  companies  that  provide  lim¬ 
ited  uploading  capacity  [the  technology]  will 
need  to  be  improved  in  such  a  way  that  not 
only  ISPs  like  Verizon  can  benefit  from  P2P 

The  two  big  carriers’  willingness  to  work 
with  the  P4P  group  is  significant,  Xie  says, 
because  it  shows  they  understand  that  P2P 
technology  is  not  something  to  be  resisted, 
but  rather  is  something  that  can  be 
improved  on  to  create  a  better  experience 
for  both  users  and  ISPs.  ■ 


P2P  developer 
Haiyong  Xie  says 
more  carriers  will 
jump  on  the  P2P 
bandwagon  the 
more  the  technol¬ 
ogy  advances. 


www.networkworld.com  •  MARCH  24,  2008  *  25 


.INFRASTRUCTURE  LOG 

_DAY  94:  Finding  critical  customer  information  is  impossible. 
We  can’t  find  the  data  we  need,  when  we  need  it.  How  can  we 
put  our  info  to  good  use  if  it’s  not  at  our  fingertips? 

_Gil  installed  a  transporter.  He  says  he  can  instantly  beam 
people  to  data... He  also  says  marketing  is  stuck  in  hyperspace. 

_DAY  97:  I’m  on  a  new  mission  using  an  IBM  InfoSphere™  Master 
Data  Management  Server  and  IBM  Global  Business  Services. 

Now  we  have  real-time  access  to  the  customer  information  we 
need  in  a  single  view.  We  can  deliver  trusted  info  to  the 
people,  processes  and  apps  that  need  it — regardless  of  location 
or  data  type.  And  we  can  use  it  to  drive  better  business  results. 

_P.S.  Marketing  is  back,  but  I  might  have  “accidentally” 
beamed  Gil  to  Mexico  City.  Lo  siento,  mi  amigo! 


Information  Management 


Watch  the  Master  Data  Management  demo  at: 

IBM.COM/TAKEBACKCONTROL/DATA 
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Outsourcing 

continued  from  page  1 

other  people  through  outsourcing  security 
services,”  says  Andre  Gold,  lead  for  IT  risk 
management  at  the  North  American  arm  of 
ING,the  Netherlands-based  global  financial 
services  firm. 

Gold  says  such  tasks  as  patch  and  vulnera¬ 
bility  management  tasks  and  antivirus  sup¬ 
port  are  consuming  a  lot  of  staff  time  that 
might  be  better  used,  for  instance,  in  strategic 
risk-management  operations  for  online  busi¬ 
ness  goals  with  partners  and  customers. 

“I’d  rather  push  the  ING  people  up  the  lad¬ 
der;”  Gold  says,  noting  that  next  month  ING  ex¬ 
pects  to  select  at  least  one  security  outsourcing 
provider  —  it  may  be  offshore  in  India  or  else¬ 
where  —  for  large,  multiyear  contracts  to  han¬ 
dle  remotely  a  wide  variety  of  data  and  net- 
work-security  management. 

“I  call  it  security  right-sourcing”  Gold  says, 
adding  that  ING  already  outsources  some  IT 
maintenance  and  application  development 
and  consequently,  advocating  security  out¬ 
sourcing  was  not  a  culture  shock  at  the  com¬ 
pany  He  says  he  expects  security  outsourcing 
to  prove  cost-effective  compared  to  adding  in- 
house  staff,  but  he  says  in  this  case,  that’s  not 
the  primary  motivator. 

Still, security  outsourcing  tends  to  elicit  nega¬ 
tive  views.  Paul  Simmonds,  CISO  at  global 
chemicals  manufacturer  ICI,  says  he’s  inclined 
to  stick  with  in-house  staff  for  security  because 
“when  something  goes  wrong,  does  that  out¬ 
sourcer  really  understand  how  it  impacts  your 
business?  I’d  say  no,  they  probably  wouldn’t.” 
On  the  other  hand,  Simmonds  notes  that  ICI 
has  benefited  from  security-as-a-service  from 
providers  MessageLabs,  Qualys  and  ScanSafe, 
which  have  taken  on  tasks  from  vulnerability 
scanning  to  antimalware  prevention. 

“My  bias  is  against  it,”  says  Jon  Gossels,  presi¬ 
dent  of  consultancy  SystemExperts,  which  ad¬ 
vises  corporations  on  security  strategy  with  a 
focus  on  regulatory  issues. 

Gossels  says  he  could  see  outsourcing  a  few 
“discrete  functions,”  such  as  log  monitoring  or 
penetration  testing.  “But  I’ve  never  seen  large- 
scale  outsourcing  work  well.  Security  is  a  busi¬ 
ness  enabler,  and  the  decisions  you  make 
every  day  in  your  IT  infrastructure  impact  the 
business.  I  don’t  see  how  you  can  do  that  in  an 
outsourcing  wayfhe  says. 

That  appears  to  remain  the  dominant  view.  A 
survey  of  479  security  professionals  conducted 
by  the  Computer  Security  Institute  (CSI)  late 
last  year  asked  what  percentage  of  computer 
security  functions  were  outsourced  in  their 
organizations.  Sixty-one  percent  of  the  respon¬ 
dents  —  who  hailed  from  industries  as  diverse 
as  finance, transportation, retail, education, tele 
com,  as  well  as  government  —  answered 
“none”  (see  graphic). 

Only  5%  had  outsourced  more  than  60%  of 
computer  security  functions,  with  2%  in  the 
81%  to  100%  range.  The  survey  concluded, 
“While  there’s  certainly  a  market  for  outsourc- 


Outsourcing  security 

More  than  60%  of  survey  respondents 
wouldn’t  let  outsourcers  touch  their 
security  infrastructure. 

What  percentage  of  computer 
security  functions  have  you 
outsourced? 


81%  to  100%  2% 


61%  to  80%  3% 


41%  to  60% 

21%  to  40% 

up  to  20% 
of  security 
functions 
22% - 


None 

61% 


SOURCE:  COMPUTER  SECURITY  INSTITUTE 
SURVEY  OF  479  SECURITY  EXECUTIVES. 
TOTAL  >  100%  DUETO  ROUNDING. 


ing  some  kind  of  security  tasks  (security  test¬ 
ing  of  customer-facing  Web  applications 
being  one  such  example)  where  the  special¬ 
ized  nature  of  the  work  and  the  ability  to  seg¬ 
regate  the  task  for  access  to  key  enterprise 
assets  make  outsourcing  more  appealing,  it 
doesn’t  appear  that  the  appetite  for  such  out¬ 
sourcing  is  growing  overall.” 

CSI,  which  conducts  an  annual  security  sur¬ 
vey  said  the  results  related  to  the  question  of 
outsourcing  security  haven’t  changed  in  the 
three  years  since  they  started  asking  it. 

The  skeptics 

Kate  Mullin,  IT  systems  security  manager  for 
the  Tampa  International  Airport,  is  skeptical 
about  security  outsourcing. 

The  airport  outsources  a  few  functions,  such 
as  the  IT  systems  backup.  In  addition,  there’s  a 
contract  in  place  to  call  in  support  personnel  if 
a  situation  called  for  that,  Mullin  notes.  Even 
though  running  an  airport  is  a  round-the-clock 
activity,  it’s  the  in-house  engineering  staff  who 
are  on  duty  for  network-security  monitoring 
and  other  tasks  because  “the  decisions  we 
make  are  based  on  the  systems  we  use,”  she 
says.“If  there’s  a  problem,  we  have  to  react.”The 
airport  recently  bought  a  log  and  security- 
event  monitoring  system  called  LogRhythm  for 
this  purpose. 

Mullin  says  she’s  doubtful  outside  personnel 
or  equipment  would  be  able  to  do  the  same 
security  monitoring  and  response  as  effec¬ 
tively  But  she’s  keeping  an  open  mind  about  it. 

“If  I  do  anything,  I’d  ‘co-source’”  Mullin  says. 
Cosourcing  might  mean  half  the  time  the 
security  monitoring  would  be  in-house,  half  of 
the  time  outsourced. 


At  the  recent  Infosec  World  Conference,  a 
number  of  security  managers  offered  their 
opinions  about  security  outsourcing. 

“We  used  to  spend  multiple  millions  of 
dollars  per  year  having  our  firewalls  moni¬ 
tored,”  said  Anish  Bhimani,vice  president  of 
IT  risk  management  at  JPMorgan  Chase, 
which  has  been  shifting  away  from  out¬ 
sourcing  security  functions. 

“What  does  that  get  me?”  The  firm  has 
brought  firewall  monitoring,  vulnerability 
assessment  and  other  functions  in-house  using 
purchased  tools,  which  Bhimani  said  seems  to 
be  a  less  expensive  route  than  outsourcing. 

Derek  Schatz,  lead  security  architect  with 
Boeing  Commercial  Airplanes,  said  security 
outsourcing  wasn’t  a  general  practice  at  his 
company  where  the  desire  to  technically  verify 
things  directly  was  very  dominant.“You  have  to 
take  into  account  the  culture,”  he  said. 

“On  a  whole,  I’d  hesitate,”  said  Mark  Grim- 
melikhuijsen,  senior  IT  security  manager  at 
Campbell  Soup  Company  about  security  out¬ 
sourcing.  “You  could  end  up  in  a  situation 
where  you  watch  the  watcher’’  he  said,  noting 
security  outsourcing  ushers  in  new  uncertain¬ 
ties:  For  example,  if  there’s  a  dispute,  which 
party  is  liable? 

Outsourcing  for  efficiency  reasons  “makes 
sense,” said  Kevin  McCaffery  senior  manager  of 
IT  security  at  Avaya,  but  added,  “You  can  out¬ 
source  the  functions,  but  you  can’t  outsource 
the  oversight.” 

Oversight  goes  to  the  heart  of  any  outsourc¬ 
ing  arrangement,  including  security.The  under¬ 
lying  outsourcing  contract  should  make  sure 
“you’re  allowed  to  audit  them,” said  Kathy  Kirk, 
director  of  information  security  at  Prudential 
Financial.  The  outsourcing  provider  has  to 
demonstrate  it’s  able  to  meet  regulatory  com¬ 
pliance  goals.  If  your  own  organization  has  to 
meet  requirements,  such  as  the  Payment  Card 
Industry’s  data-security  rules,  so  will  the  out¬ 
sourcing  provider  you  use,  she  said.  She  noted 
it’s  necessary  to  have  some  way  to  monitor  the 
activities  the  outsourcing  provider  is  undertak¬ 
ing  on  your  behalf. 

Still,  some  companies  say  security  outsourc¬ 
ing  isn’t  something  they’ve  thought  about 
because  their  internal  staff  seem  able  to  man¬ 
age  security  well  enough  on  their  own. 

“We  outsource  a  lot  at  our  company,  but 
one  thing  I’d  say  we  don’t  need  to  outsource 
is  security”  said  Greg  May,  CTO  at  Paradigm 
Investment,  which  owns  and  operates  more 
than  90  Hardee’s  restaurants  in  the  South. ■ 
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Irrelevant  victories  in  the  war  on  spam 


On  the  surface  it 
might  look  like 
there  has  been 
some  real  legal  pro¬ 
gress  against  spam  of 
late.  But  don’t  be 
fooled;  these  victories, 
real  as  they  may  be 
for  the  people  in¬ 
volved,  don’t  mean 
much  to  you  and  me. 
First,  on  March  3,  the 
Virginia  Supreme  Court  upheld  the  convic¬ 
tion  of  Jeremy  Jaynes  for  violating  a  Virginia 
antispam  law. The  court  said  there  was  no 
First  Amendment  right  under  the  U.S.  Con¬ 
stitution  to  send  spam. Then,  less  than  two 
weeks  later,  Robert  Soloway  pleaded  guilty  to 
a  collection  of  mail  fraud, spam  and  tax 
charges.The  government  press  release  said 
that  he  had  “sold  spamming  software  and 
spamming  services  impacting  millions  of 
computers.” 

Then,  less  than  a  week  after  that,  the  Federal 
Trade  Commission  (FTC)  announced  that 
online  advertising  company  ValueClick  had 
agreed  to  pay  $2.9  million  to  settle  charges 
that  the  company  sent  spam  with  misleading 
subject  lines  that  violated  the  CAN-SPAM  Act 
(see  “Can:  to  be  enabled  by  law”  at  www.nw- 


docfinder.com/4126).  More  good  news  may 
be  soon  to  come,  because  a  trial  is  about  to 
start  in  a  case  the  federal  government 
brought  against  Impulse  Media  Group  —  also 
over  spam. 

All  that  sounds  good  —  I  can’t  say  that  I’m 
sorry  when  spammers  get  slapped  about  by 
the  law  —  but  it’s  all  too  rare.  The  remarkably 
impotent  CAN-SPAM  Act  was  signed  into  law 
in  December  2003. This  act  is  supposed  to  be 

FTC  press  releases  aside, 
there  does  not  seem  to  be 
any  interest  in  Washington  in 
trying  to  fix  this  problem. 

enforced  by  the  FTC.To  say  that  the  FTC  has 
been  careful  in  its  approach  to  enforcing  this 
act  would  be  misleading  —  a  better  word 
would  be”  lethargic”  or  maybe  “comatose.” 

It  took  the  FTC  more  than  a  year  even  to 
define  some  terms  in  the  law.  Since  then 
there  have  been  a  few  prosecutions  mixed  in 
with  self-congratulatory  press  releases.  As  far 
as  I  can  see,  the  act  is  not  working  in  this  uni¬ 
verse,  although  it  might  be  working  in  some 
other  universe  the  FTC  is  talking  about.) 


As  far  as  I  can  tell,  the  FTC  has  brought  a 
few  dozen  charges  using  the  CAN-SPAM  act 
during  the  same  time  that  Microsoft  has  sued 
about  130  alleged  spammers.  Maybe  the  FTC 
should  subcontract  its  enforcement  efforts  to 
an  organization  that  actually  seems  to  care. 

Spammers  spam  because  they  can  earn  a 
lot  of  money  Jaynes  was  estimated  to  have 
made  $750,000  per  month  in  mid-2003,and 
Soloway  admitted  making  $309,725  in  gross 
revenue  in  2005.  Couple  a  lot  of  money  with 
a  very  small  chance  that  the  feds  will  get  on 
your  tail,  and  the  choice  is  easy  Turn  off  your 
spam  filter  for  a  few  hours  to  see  the  impact 
of  this  easy  choice  —  if  I  do  that,  spam  makes 
up  more  than  98%  of  the  e-mail  in  my  in-box. 

FTC  press  releases  aside,  there  does  not 
seem  to  be  any  interest  in  Washington  in  try¬ 
ing  to  fix  this  problem  —  so  do  not  read  too 
much  into  the  recent  developments  on  the 
legal  front 

Disclaimer:  Like  all  organizations,  Harvard 
employs  antispam  tools  to  try  to  cut  down  on 
the  flood,  but  has  not,  as  far  as  I  know,  issued 
an  official  position  on  the  topic.  So,  the  above 
vent  is  my  own. 

Bradner  is  Harvard  University’s  technology 
security  officer.  He  can  be  reached  at 
sob@sobco.com. 
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Measuring  bandwidth  bang  for  the  buck 


Every  now  and  then,  I’m  reminded  that  all 
the  cool  technology  I  write  about  boils 
down  to  a  single  number:  a  line  item  on 
the  CFO’s  budget.  In  other  words,  whether  the 
technology  is  MPLS  orVPLS,HSPA  orWiMAX,at 
the  end  of  the  day  the  CFO  is  going  to  ask: 
“How  much  am  I  spending  on  this?  And  what 
kind  of  bang  for  the  buck  am  I  getting  in 
return?” 

This  isn’t  as  easy  to  compute  as  it  sounds, 
because  bandwidth  isn’t  a  pure  commodity  Not 
only  does  it  vary  considerably  by  geography,  but 
how  it’s  packaged  can  affect  how  it’s  priced  and 
can  be  used.  (Companies  don’t  use  Internet- 
based  VPNs  precisely  the  way  they  use  their  business  WANs,  for 
example.) 

That  said,  even  a  handful  of  data  points  can  be  illuminating.  For 
example,  on  average,  the  overall  cost  of  T-l  access  to  MPLS  services 
(from  all  major  carriers)  works  out  to  $900  per  site  per  month,  or  $600 
per  1Mbps. 

Is  that  good  or  bad?  That  depends  —  it’s  certainly  a  dramatic  de¬ 
crease  from  a  decade  ago,  when  T-l  access  to  frame  relay  (MPLS  was 
still  experimental)  ran  $2,000  and  more,  for  a  whopping  $1,333  per 
1Mbps. 

But  if  you  compare  with  newer  technologies, 
such  as  carrier  Ethernet,  the  benefit’s  not  so 
clear.  Providers  such  as  Cogent  and  Reliance 
Telecom  offer  low-cost,  high-quality  Ethernet 
services,  and  mainstream  providers  such  as 
Verizon  and  AT&T  are  following  suit  (Verizon 
announced  availability  of  its  carrier  Ethernet 
offering  last  year,  and  AT&T  recently  did  the 


same). The  key  point  here  is  cost:  Cogent’s  pricing  at  $1,000  per 
10Mbps  access  —  or  $100  per  1Mbps. 

Carrier  Ethernet  and  Layer-3  MPLS  aren’t  directly  comparable  ser¬ 
vices:  Each  has  strengths  and  weaknesses  with  regard  to  the  other.  But 
it’s  still  illuminating  that  the  net  effect  of  moving  to  Ethernet  is  a  dra¬ 
matic  cost  reduction. 

Another  interesting  point  is  how  that  rate  compares  with  consumer 
bandwidth  prices.  $100  per  1Mbps  is  between  two  and  three  times 
what  consumers  pay  for  DSL  or  cable  modem  access,  which  putatively 
offer  1M  to  5  Mbps  for  $100  per  month  or  less. 

Again,  the  comparisons  aren’t  exact  —  for  one  thing,  very  few  con¬ 
sumers  actually  receive  the  full  bidirectional  1M  to  5Mbps  capacity 
whereas  virtually  all  businesses  do  (or  they  quickly  replace  their  pro¬ 
viders!).  And,  as  noted  earlier,  Internet  access  isn’t  the  same  thing  as 
business  WAN  services. 

But  still...  it’s  enough  to  make  you  sit  back  and  think  for  a  bit. What 
else  should  you  be  doing?  For  starters,  make  sure  every  contract  you 
negotiate  includes  a  “technology  refresh”  clause  that  specifies  that  if 
an  alternative  technology  that  significantly  affects  bandwidth  costs 
comes  along  during  the  life  of  the  contract, you  can  either  request 
(and  receive)  a  transition  to  that  technology,  or  terminate  the  contract 
without  penalty  Another  good  idea:  look  into  aggressive  deployment 
of  less-expensive  technologies  and  offerings  (such  as  IP  VPNs)  for 
regions  of  the  network  where  they  may  be  a  good  fit  (remote  branch 
offices  and  users,  for  example).  Above  all,  keep 
an  eye  on  that  bang  for  the  buck  —  because 
you  can  be  sure  the  CFO  is,  too. 

Johnson  is  president  and  senior  founding  part¬ 
ner  at  Nemertes  Research,  an  independent  tech¬ 
nology  research  firm.  She  can  be  reached  at 
johna@nemertes.  com. 
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Security  in  a  bubble 


People  don’t  notice  change  when  it’s  grad¬ 
ual.  Sometimes,  however,  small,  incremen¬ 
tal  changes  add  up  in  a  way  that  isn’t 
noticed  until  a  change  in  degree  becomes  a 
change  in  kind. 

So  it  is  with  Internet  connectivity  and  perime¬ 
ter  security  In  the  beginning  companies  had  “the 
Internet  connection,” a  single  pipe  to  the  outside 
world.  With  one  connection,  there  was  a  clear 
and  easy-to-manage  perimeter.  And  so,  perime¬ 
ter  security  flourished. 

Over  time,  companies  have  added  more  con¬ 
nectivity  gradually  changing  their  network  architecture  from  a  single 
“funnel”  into  the  Internet  to  a  mesh-like  network  with  near-ubiquitous 
connectivity  What  started  as  a  series  of  changes  in  degree  has  become 
a  change  in  kind.  Companies  no  longer  maintain  “a  connection”  to  the 
Internet;  they  are  fully  meshed,  and  a  significant  percentage  of  their 
work  happens  “out  there.”  As  a  result,  perimeter  security  also  has 
changed  —  from  being  fundamental  to  being 
almost  obsolete. 

The  closest  real-world  parallel  to  perimeter 
security  is  the  medieval  castle  with  its  walls  and 
moat.  With  its  single  gateway,  the  castle  forces 
all  traffic  to  a  single  choke-point  where  access 
controls  can  be  applied.  Contrast  the  castle 
with  a  modern  city  where  there  are  thousands, 
if  not  tens  of  thousands  of  entry  and  exit  points. 

It  might  be  possible  to  set  up  roadblocks  at 
every  point,  but  it  would  be  totally  impractical. 

Not  only  would  such  a  security  scheme  be  inef¬ 
fective,  but  it  also  would  cripple  the  city  as 
trade,  re-supply  and  people-flows  would  grind 
to  a  halt. 


We  see  such  measures  in  modern  cities  only  during  war,  and  even 
then  they  are  broadly  condemned  because  of  the  civilian  suffering  they 
cause.  So,  if  this  example  is  instructive  for  information  security  modern 
corporations  can  not  sustain  a  hard  perimeter  any  more  than  a  modern 
city  can.Yet  if  we  look  at  the  security  architecture  of  most  companies, 
we  seem  to  try  to  ignore  the  fact  that  many  connections  is  not  just  a 
change  in  degree  from  one  connection,  but  a  fundamental  change  in 
kind. 

A  biological  example  helps  to  demonstrate  this.  Assume  there  is  an 
outbreak  of  disease. Would  we  attempt  to  construct  a  large  plastic  bub¬ 
ble  to  envelop  Chicago?  Or  would  we  instead  depend  on  individual 
immunity  and  vaccination  to  protect  the  residents?  A  bubble  has  the 
same  problems  as  a  perimeter:  The  insiders  starve  because  of  the  lack 
of  trade,  and  the  bug  always  gets  through  anyway  Maximum  downside, 
not  much  upside. 

The  unifying  theme  is  the  same:  We  cannot  depend  on  architectural 
solutions  for  security  in  a  corporate  world  where  connectivity  and 
mobility  are  ubiquitous.  Those  who  fail  to  see  that  networks  have  fun¬ 
damentally  changed  are  still  trying  to  adapt 
perimeter  security  to  this  new  reality.  The  new 
reality, however, calls  for  individual  immunity  — 
every  server,  desktop,  smartphone,  router  and 
network  device  needs  to  carry  a  strong  set  of 
defenses. 

Security  must  be  distributed,  ubiquitous  and 
pervasive,  or  you  end  up  huddled  inside  the 
bubble,  starving  for  lack  of  trade  and  deluded 
into  hoping  nothing  gets  through. 

Antonopoulos  is  a  senior  vice  president  and 
founding  partner  at  Nemertes  Research,  an  inde¬ 
pendent  technology  research  firm.  He  can  be 
reached  at  andreas@nemertes.com. 
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SPECIAL  FOCUS:  STORAGE 


Storage  revolution  shuffling  IT  jobs 


The  growing  flood  of  data  that  companies  create  and  consume  is 
doing  more  than  giving  rise  to  new  storage  technologies.  It’s  also 
changing  who  is  responsible  for  storage  within  IT  departments. 


BY  STEPHEN  LAWSON,  IDG  NEWS  SERVICE 


Demand  for  storage  capacity  has  is  grow¬ 
ing  by  60%  per  year  and  shows  no  signs  of 
slowing  down,  according  to  research  com¬ 
pany  IDC.  New  disclosure  laws,  which 
require  more  data  to  be  preserved  and 
retrievable,  also  are  making  storage  man¬ 
agement  a  bigger  job. 

Now,  with  network-attached  storage,  stor¬ 
age-area  networks  (SAN),  virtualization  and 
other  technologies  shifting  information  and 
processing  around  within  enterprises,  a 
variety  of  changes  are  happening  in  the 
storage  administration  ranks. 

“With  the  sheer  complexity  of  some  com¬ 
panies’  information  infrastructures,  you 
wonder  whether  one  person  can  really  get 
their  hands  around  it  all,”  says  Pund-IT  ana¬ 
lyst  Charles  King.The  job  has  grown  beyond 
taking  care  of  storage  arrays,  he  says.  “It’s 
really  requiring  storage  administrators  and 
executives,  including  CIOs,  to  think  of  it  in  a 
more  holistic  way’ 

The  turning  point  for  some  IT  depart¬ 
ments  seems  to  be  the  shift  to  centralized 
storage.  Late  last  year,  the  University  of 
Pittsburgh  set  up  its  first  SAN  and  started 
moving  its  data  out  of  servers  and  into  its 
network  operations  center,  says  Jinx  Walton, 
director  of  IT. 

Until  then,  every  time  a  group  in  the  IT 
department  set  out  to  meet  a  need  on 
campus,  the  university’s  IT  development 
team  would  assess  how  much  storage  was 
needed  for  the  project  and  purchase  it. 
The  individual  group  would  then  manage 
that  storage.“Whoever  was  responsible  for 
the  project  was  responsible  for  the  stor¬ 
age,”  Walton  says. 

That  was  inefficient,  however.  Buying  stor¬ 
age  for  individual  servers  and  investing  in 
additional  disks  when  the  servers  filled  up 
was  expensive  and  a  distraction,  Walton 
says.  After  centralizing  most  servers  in  the 
network  operations  center  (NOC),  the 
university  started  building  a  SAN  there  that 
was  shared  by  all  the  project  managers. 
Purchasing  and  management  of  storage 
shifted  from  the  development  realm  to  the 
NOC.  It  wasn’t  easy  at  first,  she  says. 

“Any  time  there’s  any  kind  of  change, 
there’s  concern  about  it,”  Walton  says.  But 
IT  developers  can  now  spend  their  time 


solving  problems  instead  of  handling  stor¬ 
age,  and  they’re  happy  with  the  change, 
she  says. 

At  a  large  transportation  company  in 
the  Midwest,  what  had  been  a  niche  stor¬ 
age  project  under  a  small  team  has  gone 
mainstream. 

w [Centralized  storage] 
looks  simple  on  the  sur¬ 
face.  It  looks  complex 
when  it  stops  working  or 
slows  down.315 

Greg  McGovern 

CTO,  Adventist  Health 

IT  administrators  set  up  SANs  about  five 
years  ago  for  data  warehouses  while  keep¬ 
ing  host-based  storage  in  the  rest  of  the  IT 
universe,  says  an  IT  executive  who  asked 
not  be  named.  At  that  point,  the  data  ware¬ 
house  team  was  responsible  for  the  SANs. 
But  recently  the  company  expanded  SANs 
to  more  of  its  IT  systems  in  conjunction 
with  adopting  virtualization,  and  owner¬ 
ship  of  SANs  has  shifted  to  the  production 
services  department  that  manages  IT  as  a 
whole,  he  says. 

Tucson  Electric  Power  was  an  early 
adopter  of  virtualization  and  networked 
storage,  both  of  which  have  made  the  util¬ 
ity’s  IT  operations  far  more  efficient,  says 
Chris  Rima,  supervisor  of  infrastructure  sys¬ 
tems.  Two  years  ago,  Tucson  Electric  hit  a 
wall  with  data  center  growth. 

“We’re  a  power  company,  and  we  didn’t 
have  any  more  power  coming  in,”  Rima 
says.  Virtualization  put  off  for  two  years  the 
need  to  build  a  new,  improved,  more  effi¬ 
cient  data  center,  which  Tucson  Electric  is 
now  building. 

Storage  has  been  a  big  part  of  the  com¬ 
pany’s  explosive  IT  growth.  Data  has  dou¬ 
bled  every  year  for  the  past  three  years,  to 
80TB  at  the  end  of  last  year.  Among  other 
things,  Tucson  Electric  needs  to  store 
maps  and  high-resolution  images  of  its 


coverage  area  so  it  can  install  power 
poles  in  the  best  locations,  Rima  says. 

SANs  and  virtualization  may  have  been 
the  company’s  two  saviors,  but  they  have 
also  made  the  IT  department’s  work  more 
complex.  “They  are  so  intrinsically  linked, 
it’s  unbelievable,”  Rima  says.  This  created  a 
need  for  a  new  position:  storage  architect. 

“Instead  of  somebody  who’s  solely  doing 
administration  work  ...  the  architect  is 
somebody  who  takes  a  step  back  and  says, 
‘OK,  how  do  1  design  the  architecture  to 
take  advantage  of  virtualization,  data  pro¬ 
tection  [and  other  factors]?”’ Rima  says. 

That  person  needs  to  understand  both 
storage  and  virtualization,  and  specifically 
technology  from  Network  Appliance  and 
VMware,Rima  says.  Finding  the  right  person 
outside  the  company  would  have  been  vir¬ 
tually  impossible,  he  says.  So  Tucson 
Electric  trained  a  storage  administrator, 
who  is  due  for  the  promotion  soon. 

Adventist  Health,  a  hospital  operator  in 
Roseville,  Calif.,  had  a  generalist  handling 
its  data  center  until  it  implemented  a  SAN 
and  virtualization.  It  then  hired  a  small 
team  of  specialists  for  each  new  technol¬ 
ogy  says  Greg  McGovern,  Adventist’s  CTO. 
Despite  the  supposed  simplicity  of  central¬ 
ized  storage  and  processing,  the  company 
also  is  relying  more  on  support  from  ven¬ 
dors,  he  adds. 

“It  looks  simple  on  the  surface.  It  looks 
complex  when  it  stops  working  or  slows 
down,”  McGovern  says.  If  a  doctor  in  the 
field  complains  that  an  application  run¬ 
ning  over  the  network  has  slowed  to  a 
crawl,  vendor  support  is  often  called  in. “I 
think  I’ve  got  WAN  engineers  who  can 
handle  it,  but  I  need  more  assurance,” 
McGovern  says. 

Pund-IT’s  King  thinks  many  more  compa¬ 
nies  will  face  these  kinds  of  challenges  as 
storage  grows  rapidly  in  importance  as  well 
as  in  terabytes. 

“People  are  still  trying  to  get  their  heads 
around  how  to  do  this,”  King  says.  The 
falling  price  of  storage  equipment  only 
makes  things  worse,  he  added.  “Anybody 
can  afford  enough  data  storage  to  get  them¬ 
selves  in  trouble.”  ■ 
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CLEAR  CHOICE  TEST  10  GIG  ACCESS  SWITCHES 

1 0  Gig  access  switches: 

Hot  just  packet-pushers  anymore 

Extensive  testing  of  seven  leading  switches  turns  up  major  differences 
in  multicast,  security,  manageability 


BY  DAVID  NEWMAN,  NETWORK  LAB  ALLIANCE  MEMBER 

ity  the  humble  access  switch.These  packet  pushers  usually  work 
so  well  they’re  stuffed  into  wiring  closets  and  promptly  forgot¬ 
ten.  Packet  in,  packet  out.  End  of  story  Or  is  it?  If  the  results  of 
Network  Worlds  latest  switch  tests  are  any  guide,  network  man¬ 
agers  may  need  a  new  lexicon  just  to  make  buying  decisions.  Our  tests 
found  seven  next-generation  switches  bristle  with  features  that  don’t 
exist  in  many  previous  models  —  not  just  physical  features  such  as  10 
Gig  Ethernet  uplinks  but  also  802.1X-based  network  access  control 
(NAC)  authentication,  enhanced  multicast  support,  storm  control, 
denial-of-service  (DoS)  protection  and  IPv6  support. 

We  assessed  these  switches  —  all  of  which  sported  48 
10/ 100/ 1000Mbps  ports  and  two  10  Gig  ports  —  in  10  areas,  encom¬ 
passing  Layer  2  and  Layer  3  IPv4  unicast  and  multicast  performance, 
Layer  2  multicast  group  capacity  802.  IX  support,  storm  control,  man¬ 
agement  and  usability,  power  consumption,  and  features.  (See  “How  we 
did  it”  at  www.nwdocfinder.com/4121.) 

Overall,  we  found  big  differences  in  support  and  stability  in  products 
tested  from  Alcatel-Lucent,  Cisco,  Dell,  D-Link,  Extreme  Networks, 
Foundry  Networks  and  HP  For  example: 

•  Multicast  throughput  and  latency  varied  widely  but  more  basic 
issues  such  as  group  capacity  and  even  system  stability  were  bigger  dif¬ 
ferentiators  in  our  tests.  It  took  multiple  software  builds  from  some  ven¬ 
dors  just  to  get  through  industry-standard  multicast  tests,  and  then  only 
using  very  different  group  counts. 

•  All  switches  supported  802.  IX  authentication,  but  there  were  major 
variations  in  the  level  of  granularity  of  access  control.  Not  every  switch 
supported  some  common-use  cases,  and  two  switches  forwarded  unau¬ 
thenticated  traffic  when  operating  in  multi-auth  mode,  a  security  issue. 

•  All  devices  had  “storm  control”  features  to  help  mitigate  DoS  attacks, 


but  these  varied  widely  in  terms  of  rate  control  and  signature  detection. 

•  IPv6  support  remains  a  work  in  progress.  Some  switches  fully  sup¬ 
port  IPv6;  others  can  route  IPv6  packets  but  can’t  be  managed  over 
IPv6;  yet  others  lack  support  for  IPv6  routing  protocols. 

No  switch  excelled  in  all  of  the  many  areas  we  examined,  making  it 
difficult  to  pick  winners  across  the  board.  Most  switches  do  fine  on  sim¬ 
ple  forwarding  of  Ethernet  and  IPv4  unicast  traffic.  If  that’s  all  that  mat¬ 
ters  to  you,  pick  a  switch  on  price  and  usability 

We  wouldn’t  recommend  that,  though.  Increasingly  other  areas  matter 
more,  including  security  multicast  and  IPv6  —  and  that’s  where  real  vari¬ 
ations  among  products  exist.  The  Cisco  Catalyst  3750E  is  the  most  fea¬ 
ture-complete  device  we  tested, though  HP’s  ProCurve  3500yl, Extreme’s 
Summit  X450  and  Foundry’s  Fastlron  X448  also  fared  well  in  most  areas. 

Because  access  switches  do  more  than  previous-generation  products, 
the  first  step  in  picking  a  product  is  determining  which  features  matter 
most  —  Layer  2  vs.  Layer  3,  IPv4  vs.  IPv6,  unicast  vs.  multicast,  managed 
vs.  unmanaged,  on-board  security  vs.  no  security  —  and  choosing  the 
device  that  did  the  best  job  in  these  areas. 

Unicast  performance 

Once  upon  a  time,  Layer  2  unicast  performance  tests  would  have  pro¬ 
duced  by  far  the  most  important  results,  but  that’s  changed.  Measuring 
unicast  throughput  on  all  ports,  once  considered  the  acid  test  for 
access  switches,  is  no  longer  a  major  differentiator.  Even  in  the  most 
stressful  test  case  —  with  a  Spirent  TestCenter  traffic  generator  blasting 
minimum-length  64-byte  frames  at  all  switch  ports  —  throughput  was  at 
or  very  close  to  line  rate  for  all  switches  except  D-Link’s  DGS-3650. 

We  observed  similar  results  when  measuring  throughput  for  256-  and 
1,518-byte  frames,  both  in  Layer  2  (switched)  and  Layer  3  (IP  forward¬ 
ed)  configurations. Throughput  isn’t  the  differentiator  it  once  was. 


NETRESULTS 

Product 
Vendor 


Cisco  Catalyst  3750E-48PD-EF 
Series  Switch 


Cisco 

www.cisco.com 


'  n  m  *  mm  i  -s 


ProCurve  Switch  3500yl 

ProCurve  Networking  by  HP 
www.procurve.com 


Summit  X450a-48t 

Extreme  Networks 
www.extremenetworks.com 


Price*  $33,980 

Pros  Very  extensive  feature  set;  strong 

multicast  scalability  and 
performance 

Cons  Forwarded  unauthenticated  data  in 

one  802.1  X  case 


$16,096 

Strong  unicast  and  multicast 
throughput  and  latency;  highest 
Layer  2  multicast  scalability 

Limited  Layer  3  multicast  and  IPv6 
support  in  version  tested 


$14,480 

Strong  unicast  and  multicast 
throughput  and  latency;  passed  all 
802.1  X  test  cases;  extensive  feature 
list 

Limited  multicast  scalability;  factory 
reset  left  some  personally  identifi¬ 
able  information 


Score 


4.49 


4.46 


4.35 


‘Price  as  tested  for  switch  with  at  least  48 10/100/1000  Ethernet  ports;  two  106  Ethernet  ports;  two  lOGBase-SR  transceivers;  and  all  necessary 
software  for  IPv4  and  IPv6  unicast  and  multicast  traffic  handling 
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After  we  completed  testing,  D-Link  objected  to  our  methodology,  say¬ 
ing  it  isn’t  indicative  of  real-world  conditions. We  take  D-Link s  point,  and 
hope  no  network  manager  would  consider  running  a  production  net¬ 
work  at  99%  utilization  or  above.  But  we’ve  heard  this  before  many 
times  and  believe  it  misses  the  point.  No  one  ever  represented  that 
industry-standard  throughput  testing  practices  use  real-world  traffic  pat¬ 
terns  (never  mind  that  reality  differs  vastly  from  network  to  network). 
Rather,  the  goal  is  to  determine  the  limits  of  switch  performance. 

Multicast  group  capacity 

If  unicast  performance  didn’t  differentiate  products,  multicast  perfor¬ 
mance  certainly  did. We  assessed  multicast  by  measuring  group  capac¬ 
ity  and  Layer  2  and  Layer  3  multicast  throughput  and  latency  Multicast 
group  counts  turned  out  to  be  major  differentiators,  not  just  in  the 
capacity  tests  but  also  in  the  throughput  and  latency  tests. 

The  goal  of  the  group  capacity  tests  was  to  determine  the  maximum 
number  of  Internet  Group  Management  Protocol  Version  3  multicast 
groups  each  switch  could  handle.  This  is  a  key  measure  of  multicast 
scalability:  The  more  groups  a  switch  can  track,  the  more  users  can  do 
with  multicast. 

Because  this  is  an  access  switch  test,  we  configured  each  device  in 
Layer  2-only  mode  and  enabled  IGMP  snooping.Then  we  configured  the 
Spirent  TestCenter  traffic  generator/analyzer  to  join  some  number  of 
groups,  and  measured  whether  the  switch  would  forward  traffic  to  all 
groups  without  flooding  (see  “Breaking  the  standards,”  www.nwdocfind 
er.com/4032). 

The  results  reveal  lots  of  variation  among  products,  with  group  capac¬ 
ity  ranging  from  nearly  1,500  for  HP’s  ProCurve  to  less  than  70  for  Dell’s 
PbwerConnect  (see  graphic,  this  page).  For  enterprises  that  need  70  or 
fewer  multicast  groups  for  the  life  of  the  switch,  this  isn’t  an  important 
distinction;  for  everyone  else  —  this  includes  most  midsize  and  large 
enterprises,  and  many  small  ones  as  well  —  group  counts  do  matter. 

The  capacity  test  focused  only  on  maximum  group  count.  When  it 
came  to  measuring  throughput  and  latency  the  group  counts  support¬ 
ed  by  each  switch  were  lower  in  some  cases  than  others.  (See  “Some 
switches  support  lower  multicast  counts  at  Layer  3”  at  www.nwdoc 
finder.com/4122.) 

In  part  the  difference  is  explained  by  switch  configurations.  We  mea¬ 
sured  Layer  2  throughput  and  latency  using  more  or  less  the  same 
topology  as  in  the  group  capacity  tests.  In  the  Layer  3  tests  we  enabled 
Protocol-Independent  Multicast  (PIM),  a  multicast  routing  protocol, 
essentially  putting  a  router  on  every  port.  Judging  from  the  supported 
group  counts  where  less  than  half  the  switches  hit  the  500  group-count 


Tracking  multicast  group  capacity 

As  a  key  measure  of  multicast  scalability,  this  group  capacity  test 
determined  the  maximum  number  of  IGMPv3  multicast  groups 
each  switch  could  handle. 


IGMPv3  groups 
supported 


1,499 


Alcatel-  Cisco  D-Link  Dell  Extreme  Foundry  HP 
Lucent 


mark,  this  is  far  more  stressful  on  the  device  under  test. 

It  is  important  to  note,  though,  that  it  took  multiple  software  builds  for 
some  vendors  to  obtain  these  group-count  results.  Our  initial  multicast 
tests  of  the  Alcatel-Lucent,  Dell,  D-Link  and  Foundry  switches  with  500 
groups  led  to  lockups  or  reboots.  All  these  vendors  supplied  software 
updates  that  led  to  more  stable  switches.  However,  as  the  results  show, 
not  all  could  be  tested  with  500  groups.  If  a  switch  could  not  hit  the  500- 
group  mark  we  had  outlined  for  throughput  and  latency  testing,  we  test¬ 
ed  Layer  2  and  Layer  3  multicast  throughput  and  latency  at  the  switch’s 
maximum  group  capacity 

HP’s  ProCurve  did  support  500  groups,  but  with  a  twist:  In  Layer  3  test¬ 
ing,  it  could  use  only  two  virtual  LANs  (VLAN),  IP  subnets  and  PIM 
router  instances,  compared  with  49  on  all  other  devices.This  limitation 
would  rule  out  the  use  of  this  ProCurve  switch  in  situations  where  more 
than  two  subnets  and  multicast  routing  instances  are  needed. 

Several  vendors  observed  that  few  customers  support  500  multicast 
groups  at  the  edges  of  their  networks.  But  we  can  argue  that  conditions 
may  be  changing.  In  some  industries,  notably  financial  services,  it’s  com¬ 
mon  to  support  dozens  to  hundreds  of  multicast  group  subscriptions  for 


Fasti  ron  Edge  X  Series 
448+2XG-PREM 

Foundry  Networks 
www.foundrynet.com 

$15,985 

Strong  multicast  performance; 
passed  all  802.1X  test  cases; 
extensive  feature  list 

Higher  power  consumption; 
larger  form  factor  compared 
with  other  switches 

4.23 


OmniSwitch  6850  Model 
OS6850-48X 

Alcatel-Lucent 
wwwl  .alcatel-lucent.com 

$13,685 

Strong  unicast  performance; 
lowest  idle  power  consumption 

Limited  multicast  scalability; 
verbose  CLI;  factory  reset  left 
some  personally  identifiable 
information 

4.05 


PowerConnect  6248P 

Dell 

www.dell.com 

$5,779 

Strong  unicast  and  multicast 
throughput  and  latency 

Limited  multicast  scalability; 
limited  802. IX  support;  for¬ 
warded  unauthenticated  data 
in  one  802.1X  case 

3.58 


DGS-3650 

D-Link  Systems 
www.dlink.com 

$8,841 

Strong  multicast  throughput 
and  latency 

Much  lower  unicast  throughput 
and  latency  than  other  switch¬ 
es;  limited  802. IX  support;  lim¬ 
ited  storm-control  granularity 

3.55 
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Multicast  latency  measurements  vary  widely  across  switches 

A  big  delta  between  average  and  maximum  latency  measurements  may  indicate  an  issue  with  jitter,  which  can  have  an  adverse  effect 
on  delay-sensitive  apps  like  voice  and  video.The  HP  and  Alcatel-Lucent  switches  exhibit  much  greater  variation  between  average  and 
maximum  multicast  latency  than  other  switches.  In  contrast,  all  other  switches  held  up  traffic  at  most  1-4  microsec. 


Latency 

(micro¬ 

seconds) 


Alcatel-Lucent  avg. 
Alcatel-Lucent  max. 
Cisco  avg. 

Cisco  max. 

D-Link  avg. 

D-Link  max. 
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stock-quote  applications.  Multicast  scalability  may  not  be  a  top  priority 
in  choosing  network  devices  yet,  but  it  could  become  more  important. 

Switch  jitters 

Latency  the  length  of  time  a  switch  buffers  a  frame,  also  is  a  key  met¬ 
ric,  more  important  than  throughput  for  such  real-time  applications  as 
voice  and  video.  In  fact,  multicast  throughput  turned  out  to  be  a  nonis¬ 
sue  in  our  tests,  with  all  products  moving  packets  within  0.5%  of  line  rate. 

For  unicast  traffic,  differences  between  products  handling  midsize 
frames  were  relatively  minor,  but  average  and  maximum  unicast  laten¬ 
cies  differed  widely  when  switches  handled  minimum-  and  maximum- 
length  frames.  (See  “Unicast  latency  for  switches  varies  more  with  larg¬ 
er  packets”  at  www.nwdocfinder.com/4123.)  In  particular,  Foundry’s 
X448  exhibited  unusually  high  average  and  maximum  delays  when 
handling  large  frames.The  vendor  says  it  hasn’t  seen  this  result  in  other 
tests,  but  it  occurred  more  than  once  in  our  lab. 

Multicast  latencies  varied  much  more,  with  a  500-fold  difference 
between  the  lowest  and  highest  result  —  both  from  HP’s  ProCurve 
switch  (see  graphic  above). A  big  delta  between  average  and  maximum 
latency  may  indicate  an  issue  with  jitter,  or  latency  variation,  which  can 
have  an  adverse  effect  on  delay-sensitive  applications  such  as  voice 
and  video.  The  HP  and  Alcatel-Lucent  switches  exhibit  much  greater 
variation  than  other  switches  between  average  and  maximum  multicast 
latency  with  spreads  of  hundreds  or  thousands  of  microseconds.  In 
contrast,  all  other  switches  held  up  traffic  at  most  1  to  4  microsec. 

The  Alcatel-Lucent  and  HP  switches  also  exhibited  much  higher 
latency  for  multicast  than  unicast.  Conversely,  Foundry’s  X448  did  far 
better  with  large-frame  latency  when  handling  multicast  traffic.The  traf¬ 
fic  topologies  differed  in  the  unicast  and  multicast  tests,  making  the 
comparison  a  bit  unfair,  but  given  that  switches  move  unicast  and  mul¬ 
ticast  alike  in  silicon  we  were  surprised  to  see  any  differences. 

Authentication:  Six  scenarios,  seven  stories 

Many  switches  today  support  802.  IX  authentication,  a  building  block 
in  NAC.The  key  question  is  what  kind  of  access  authenticated  users  can 
expect.  In  the  six  scenarios  we  developed  for  this  project,  we  uncovered 
major  differences  among  products  in  terms  of  the  conditions  under 
which  they’ll  grant  access,  as  well  as  what  sort  of  access  they’ll  permit. 

In  the  first  802.  IX  scenario, a  client  (or  supplicant, in  802.1X-speak)  gets 
authenticated,  and  the  switch  places  the  client  into  a  statically  defined 


VLAN.  All  switches  passed  this  basic  test,  in  which  the  switch  connected 
Juniper  Odyssey  supplicants  to  a  Juniper  Steel-Belted  Radius  server  (see 
“Switches  vary  on  802. IX  authentication  support,  page  38). 

The  second  scenario,  involving  multi-auth,  turned  out  to  be  the  most 
problematic,  with  failures  from  the  Cisco  and  Dell  switches.  In  this  see 
nario,  there  are  multiple  users  attached  to  a  single  switch  port,  and  each 
must  be  authenticated  before  being  granted  network  access.We  attached 
multiple  users  using  an  unmanaged  hub  (a  common-use  case  in  many 
corporate  conference  rooms  where  there’s  only  one  Ethernet  drop). 
Other  uses  for  multi-auth  include  IP  phones  (which  sometimes  have  a 
two-port  switch  to  attach  a  PC  through  the  phone)  and  wireless  LAN 
(WLAN)  access  points  (especially  thin  access  points,  which  attach  to  a 
switch/controller  and  field  associations  from  multiple  wireless  clients). 

Most  switches  —  other  than  the  one  from  Extreme  —  require  that 
multi-auth  be  explicitly  configured. 

After  doing  so,  the  Cisco  and  Dell  switches  authenticated  the  first  user 
—  but  then  allowed  traffic  from  the  second  and  subsequent  users  onto 
the  network  without  authentication. The  physical-world  analogy  of  this 
behavior  is  “badge  tailgaiting,”  in  which  someone  with  a  door  badge 
enters  an  office  building  and  others  follow  while  the  door  is  open. The 
security  implications  are  obvious. 

Cisco  says  it  strongly  discourages  customers  from  using  multi-auth 
except  for  certain  uses,  such  as  an  IP  phone  with  a  PC  attached,  and 
then  encourages  customers  to  segregate  traffic  onto  different  VLANs. 

Strictly  speaking,  multi-auth  is  a  violation  of  the  IEEE’s  802.  IX  standard. 
The  spec’s  media  access  control  (MAC)  relay  function  (the  port  access 
entity)  includes  a  logical  switch  that’s  on  or  off. There’s  no  provision  for 
a  sort  of  “selective  on/off”  state  that  permits  some  frames  but  denies  oth¬ 
ers  (see  “Breaking  the  standards,”  www.nwdocfinder.com/4032). 

Still,  because  there  are  common-use  cases  for  multi-auth,  it’s  fairly 
widely  supported.  The  danger,  as  our  test  results  show,  is  that  network 
managers  may  be  lulled  into  a  false  sense  of  security,  erroneously 
believing  that  enabling  802.  IX  will  result  in  authentication  for  all  traffic. 

See  Switches,  page  38 

■  Compare  more  access  switches  in  the  Network 
World  Access  Switch  Buyer’s  Guide  at  www.nwdoc 
finder.com/4033. 
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CLEAR  CHOICE  TEST  10  GIG  ACCESS  SWITCHES 


Switches  vary  on  802.1X  authentication  support 

As  a  basic  building  block  to  many  network  access  control  (NAC)  schemes,  802.1X  authentication  support  is  required  in  any  modern  day 
access  switch.  We  tested  these  switches  in  six  802. IX  authentication  scenarios  and  the  level  of  success  was  all  over  the  map. 


M|  Alcatel-Lucent 

Cisco 

D-Link 

Dell 

Extreme 

Foundry 

HP 

One  user 

Pass 

Pass 

Pass 

Pass 

Pass 

Pass 

Pass 

Two  users 

Pass 

Fail 

Pass 

Fail 

Pass 

Pass 

Pass 

Dynamic  VLAN 

Pass 

Pass 

Pass 

Not  Supported 

I  Pass 

Pass 

j  Pass 

1 

Dynamic  ACL 

Not  Supported 

Pass 

Not  Supported 

Not  Supported 

Pass 

Pass 

Pass  (1) 

Guest  VLAN 

Pass 

Pass 

Pass 

Pass 

Pass 

Pass 

Pass 

MAC  fallback 

Pass 

Pass 

Fail (2) 

Fail (3) 

Pass 

Pass 

Pass 

1.  Syntax  issue  with  12.25  software,  corrected  in  current  13.x  release. 

2.  Supports  MAC  authentication,  but  not  concurrently  for802.1X  and  non-801.X  clients.  Switch  instead  puts  failed  802.1X  clients  and  non-802.lX  clients  into  a  guest  VLAN. 

3.  Does  not  support  MAC  authentication;  switch  does  allow  a  user-defined  number  of  MAC  addresses  to  be  learned  dynamically. 
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The  third  scenario,  involving  dynamic  VLANs,  was  far  more  straightfor- 
ward.This  one  modeled  networks  in  which  roving  laptop  users  may  plug 
into  any  switch  port  at  random. The  goal  was  for  the  switch  to  dynami¬ 
cally  assign  a  switch  port  into  a  given  VLAN  after  authentication. 

All  switches  but  one  passed  this  test;  the  lone  exception  was  Dell’s 
PowerConnect  6248,  which  doesn’t  support  dynamic  VLAN  assignment. 
Extreme’s  X450  goes  the  other  way:  Not  only  did  it  pass  this  scenario, but 
it  allowed  the  supplicant  to  be  placed  into  multiple  untagged  VLANs. 

In  the  fourth  scenario,  we  determined  whether  the  switch  could 
dynamically  enable  an  access  control  list  (ACL)  upon  authentication, 
governing  where  the  client  can  go.  As  with  dynamic  VLAN  allocation, 
dynamic  ACLs  can  be  useful  with  mobile  work  forces,  where  employees 
should  gain  access  to  specific  resources  regardless  of  location. 

The  Cisco,  Extreme,  Foundry  and  HP  switches  all  support  this  feature. 
We  needed  to  use  an  undocumented  syntax  to  get  dynamic  ACLs  to 
work  with  the  HP  switch,  but  the  vendor  says  this  has  been  corrected  in 
currently  shipping  software  (we  did  not  verify  this).  Switches  from 
Alcatel-Lucent,  D-Link  and  Dell  do  not  support  this  feature. 

So  far,  all  the  802.  IX  scenarios  have  covered  situations  in  which 
authentication  succeeded.  In  our  fifth  scenario,  we  deliberately  failed 
authentication  to  determine  whether  switches  would  place  a  client  into 
a  guest  or  restricted  VLAN.  This  is  a  common  requirement,  not  just  for 
enterprise  employees  who  mistype  a  password  but  also  for  visitors  and 
contractors  who  may  not  have  authentication  credentials.  All  switches 
tested  offer  a  guest  VLAN  capability  without  issue. 

In  our  final  test  scenario,  we  looked  for  the  switch  to  concurrently  sup¬ 
port  both  802.  IX  clients  and  non-802.1X  clients.  For  better  or  worse, 
802.  IX  isn’t  yet  pervasive.There  are  large  numbers  of  networked  devices, 
such  as  printers,  that  do  not  have  802.  IX  supplicant  software.  For  this,  it’s 
desirable  to  have  a  feature  Cisco  calls  “MAC  authentication  bypass.” 

All  switches  we  tested,  except  those  from  D-Link  and  Dell, support  fall¬ 
back  to  MAC  authentication  with  a  non-802.1X  client.  D-Link’s  DGS-3650 
supports  MAC  authentication  but  not  concurrently  with  802.  IX.  Dell’s 
PowerConnect  6248  does  not  support  MAC  authentication,  although  it 
can  restrict  access  to  a  user-defined  number  of  MAC  addresses. 

The  Cisco  Catalyst  3750E  also  supports  three  802.  IX  scenarios  we  did¬ 
n’t  test  for.  It  can  place  non-802.1X  clients  into  a  special  restricted  VLAN, 
distinct  from  a  guest  VLAN  for  unauthorized  or  unremediated  802.  IX 
clients.  It  can  automatically  fall  back  to  Web-based  authentication  if 
802.  IX  authentication  doesn’t  occur  within  a  given  timeframe.  And  it 
can  authenticate  multiple  devices  on  a  port  and  place  each  in  a  differ¬ 


ent  VLAN  (this  is  different  than  the  multi-auth  case  in  which  all  devices 
enter  the  same  VLAN).We  didn’t  test  any  of  these  additional  capabilities. 

Management  and  security 

In  assessing  switch  management  and  security  we  sought  to  answer 
three  questions:  Did  devices  follow  current  best  practices  by  default? 
Could  users  configure  switches  to  follow  these  best  practices?  And 
could  switches  be  wiped  clean  of  any  sensitive  information  before 
being  taken  out  of  deployment? 

The  “wipe  clean”  question  stems  from  regulatory  requirements  in  a 
growing  number  of  industries.  For  example,  the  National  Institute  of 
Standards  and  Technology,  the  U.S.  government’s  standards  body  and 
the  credit  card  industry’s  Payment  Card  Industry  Data  Security  Standard 
(PCI  DSS)  both  require  the  deletion  of  any  personally  identifiable 
information  before  disposal. 

We  assessed  reset  capabilities  by  deleting  each  switch’s  start-up  con¬ 
figuration  file  after  putting  it  through  performance  and  security  tests.  For 
all  but  the  Alcatel-Lucent,  Extreme  and  HP  switches,  that  was  enough  to 
wipe  the  systems  clean.  HP’s  ProCurve  switch  stores  passwords  sepa¬ 
rately  in  flash  memory  but  these  can  be  deleted  by  using  the  front-panel 
buttons. The  procedure  is  documented,  and  HP  says  it’s  moving  toward 
inclusion  of  encrypted  passwords  in  the  switch  configuration  file. 

The  Alcatel-Lucent  and  Extreme  switches  retain  passwords  even  after 
a  factory  reset.  In  addition,  Extreme’s  Summit  X450  also  retains  the  pri¬ 
vate  SSH  key,  which  could  allow  an  attacker  to  pose  as  an  authorized 
device  even  after  the  switch  has  been  retired. 

We  also  determined  which  management  methods  were  enabled  by 
default,  and  which  would  need  to  be  enabled  or  disabled  by  network 
managers  (see  “Tracking  support  for  management  and  security  best 
practices”  at  www.  nwdocf  inder.com/4 1 24) . 

These  best  practices  include  disabling  nonsecure  management  meth¬ 
ods  such  as  telnet  (supported  out  of  the  box  over  IPv4  by  all  switches  by 
default), Web  and  SSHvl .  Best  practices  means  accessing  the  switch  only 
through  secure  methods  such  as  SSHv2  and/or  Secure-HTTP  and  also 
logging  switch  events  to  a  syslog  server  (a  requirement  under  many 
enterprise  security  policies). 

The  Cisco  Catalyst  3750E  adhered  the  closest  to  security  best  practices. 
However,  it  supports  telnet  by  default,  as  do  all  switches.  Also,  when 
enabling  SSH  the  Catalyst  supports  the  nonsecure  Version  1  of  that  pro¬ 
tocol  (although  SSHvl  can  be  disabled  via  an  additional  command). 

In  general,  management  over  IPv6  isn’t  as  solid  as  over  IPv4.  Two 
switches,  from  Dell  and  HP  didn’t  support  IPv6  management  on  their 

See  Switches,  page  40 
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The  HP  ProLiant  DL380  G5  server  comes  with  Systems  Insight 
Manager  (SIM)  software.  HP  SIM  has  shown  an  average 
reduction  in  server  downtime1  of  77%,  by  monitoring  your  system 
and  alerting  you  of  potential  server  problems  before  they  occur. 

Technology  for  better  business  outcomes. 


HP  ProLiant  DL380  G5 

$2249  (Save  $958) 


e  for  as  low  as  $56/mo3  for  48  months 
■'  L  -  :om  for  the  most  up-to-date  pricing 


(PN:  470064-511) 

■  Quod-Core  Intel®  Xeon®  Processor 

•  2GB  PC2-5300  memory 

•  Supports  small  form  factor,  high-performance 


HP  StorageWorks  Uitrium 
448  Tape  Drive  SAS  Bundle2 

$1649 

lease  for  as  low  os  $41/mo3  for  48  months 
(PN:  AG739A) 


<  400GB  compressed  capacity  in  half-height 
form  factor 


SAS  or  low-cost  SATA  hard  drives 
Smart  Array  P400  controller 
Integrated  lights-Out  (iL02),  Systems  Insight 
Manager,  SmartStart 


■  Ships  with  Data  Protector  Express  Software, 
One  Button  Disaster  Recovery,  a  1U 
Rackmount  Kit,  and  a  Host  Bus  Adapter 


24x7,  4  hour  response,  3  years 
(PN:  UE894E)  $689 
Add  2GB  additional  memory, 
(PN:  397411 -S21)  $174 


1  i  li 

■111 


Get  the  full  story  in  the  IDC  white  paper  at  hp.com/go/simlO 
or  call  1-877-726-8115 


1 .  IDC  White  Paper  sponsored  by  HP,  Gaining  Business  Value  and  ROI  with  HP  Systems  Insight  Manager,  Doc  #206761 ,  May  2007.  2.  Prices  shown  are  HP  Direct  prices;  reseller  and  retail  pnces  may  vary.  Prices  shown  are  stibjefc 
to  change  and  do  not  include  applicable  stale  and  local  laxes  or  shipping  to  recipient's  address.  Offers  cahoot  be  combined  with  any  other  offer  or  discount  and  are  good  while  supplies  last.  All  featured  offers  available  in  U  S  orriy..  "  7 
Savings  based  on  HP  published  list  price  of  contigure-to  order  equivalent  ($3207  -  $958  instant  savings  =  SmartBuy  price  $2249).  3.  Financing  available  through  Hewlett-Packard  financial  Services  Company  (HPfS)  fo  guail(ij9c| 
commercial  customers  in  the  U.S.  and  subject  to  credit  approval  and  execution  of  standard  HPFS  documentation.  Prices  shown  are  based  on  a  lease  48  months. in  term  with  a  fair  market  value'  purchase  option  at  the’  end  of  the  ternt 
Rates  based  on  an  original  transaction  size  between  $3,000  and  $25,000.  Other  rates  apply  for  other  terms  and  transaction  sizes.  Financing  available  on  transactions  greater  than  $349' through  April  30,- 2008.  HPFS  reserves  ^, 
right  lo  change  or  cancel  these  programs  at  any  time  without  notice.  Intel,  the  Intel  logo.  Xeon  arid  Xeon  Inside  are  trademarks  or  registered  trademarks  of  Intel  Corporation  or  its  subsidiaries  in  the  United  States  and  other  countries; ,  • 
©  2008  Hewlen-Packard  Development  Company,  t.P.  The  information  contained  herein  is  subject  to  change  without  notice.  /  V  -.v,, 
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CLEAR  CHOICE  TEST  10  GIG  ACCESS  SWITCHES 


SCORECARD 


Action  and  weighting 

Layer-2  unicast  performance  (15% 

Cisco 

4.50 

HP 

4.75 

Extreme 

4.50 

Foundry 

4.17 

Alcatel- 

Lucent 

4.67 

Dell 

4.42 

D-Link 

3.00 

Layer-3  unicast  performance  (15%) 

4.50 

4.67 

4.50 

4.08 

4.58 

4.42 

3.17 

Layer-2  multicast  group  capacity  (10%) 

5.00 

5.00 

4.25 

4.00 

3.00 

2.00 

4.25 

Layer-2  multicast  performance  (10%) 

4.50 

5.00 

4.75 

4.58 

3.50 

4.50 

4.50 

Layer-3  multicast  performance  (5%) 

4.50 

3.67 

4.75 

4.67 

4.00 

4.58 

4.50 

802.1X/NAC  support  (10%) 

3.50 

4.50 

5.00 

5.00 

3.50 

2.00 

3.00 

Storm  control  (5%) 

5.00 

4.50 

4.25 

4.50 

4.50 

3.00 

2.50 

Management  and  security  (10%) 

4.00 

3.50 

2.50 

3.75 

3.50 

2.75 

3.50 

Power  consumption  (5%) 

4.25 

4.00 

4.50 

2.50 

5.00 

4.50 

4.50 

Features  (15%) 

5.00 

4.25 

4.50 

4.50 

4.25 

3.50 

3.50 

Total 

4.49 

4.46 

4.35 

4.23 

4.05 

3.58 

3.55 

Scoring  key:  5:  Exceptional;  4:  Very  good;  3:  Average;  2:  Below  average;  1:  Subpar  or  not  available. 
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default  VLANs  in  our  tests,  although  HP  says  it’s  currently  shipping  13.x 
software  that  does  support  IPv6  on  the  default  VLAN.  Also,  there  were  a 
couple  of  cases  in  which  options  offered  with  IPv4  weren’t  available 
over  IPv6.  We  were  unable  to  configure  syslog  over  IPv6  on  the  Cisco 
Catalyst  3750  or  Extreme’s  Summit  X450.And  the  Extreme  switch  didn’t 
support  Web-  or  SSL-based  management  over  IPv6. 

As  with  multicast  and  802.  IX,  IPv6  support  is  relatively  new  in  many 
switches,  and  support  for  all  features  is  far  from  complete.  For  network 
managers  considering  IPv6  deployment,  it’s  not  enough  to  consider 
whether  a  switch  will  forward  IPv6  packets;  supporting  management 
over  IPv6  is  critical  as  well. 

Sharp-eyed  readers  will  notice  we  haven’t  covered  SNMP  manage 
ment  over  either  IPv4  or  IPv6.  Problems  with  our  test  bed  setup  pre 
vented  us  from  completing  SNMP  verifications;  however,  SNMP  support 
is  covered  in  our  features  section. 

Storm  control 

Tools  to  block  DoS  attacks,  once  the  exclusive  purview  of  intrusion- 
detection/prevention  systems,  are  now  included  in  most  switches’ secu¬ 
rity  arsenals.  While  all  switches  we  tested  can  classify  and  block  mali¬ 
cious  traffic,  there  are  differences  in  the  depth  of  coverage. 

At  a  high  level, “storm  control”  takes  two  forms:  Rate-controlling  traffic 
and  blocking  specific  attacks.  Rate  control  in  turn  may  be  divided  into 
separate  commands  for  throttling  unicast,  broadcast  and  multicast  traf¬ 
fic,  though  not  all  switches  support  this.  For  example.it  may  be  desirable 
to  set  one  drop  threshold  for  unicast  traffic  (TCP  SYNs,  say  to  block  a 
SYN  flood  attack)  and  another  threshold  for  broadcasts  (perhaps  to 
avoid  overwhelming  the  switch’s  CPU). 

All  switches  offer  the  ability  to  throttle  traffic.  The  D-Link  3650’s  rate 
controls  are  limited  to  broadcast  and  multicast  traffic,  while  Extreme’s 
Summit  X450’s  rate  controls  specifically  target  CPU-bound  packets. 
Dell’s  PowerConnect  6248  Web-based  GUI  appears  to  allow  rate  control 
over  only  one  class  of  traffic  at  a  time  (unicast,  broadcast  or  multicast), 
but  in  practice  different  classes  with  different  thresholds  can  be 
defined  by  issuing  multiple  commands.  The  other  switches  (and  the 
Dell  FbwerConnect’s  CLI)  all  support  individual  commands  for  throt¬ 
tling  different  traffic  classes. 

Attack  signature  detection  varied  widely  among  switches.  Some 
devices  —  such  as  those  from  Alcatel-Lucent,  Dell, Extreme  and  Foundry 


—  include  signatures  for  between  two  (Foundry)  and  29  (Extreme)  well- 
known  forms  of  attack,  and  to  drop  these  packets  HP’s  ProCurve  3500 
uses  an  anomaly-based  approach  it  calls  “virus  throttling”  to  detect  and 
block  malicious  traffic.  Foundry’s  Fastlron  X448  also  has  hooks  that  tie 
into  external  monitoring  tools,  such  as  SFlow  monitors  or  a  Snort  IDS, 
that  will  drop  frames  when  traffic  matches  a  given  signature. 

No  spoofing  allowed 

Some  switches  also  support  antispoofing  mechanisms  targeting  Dy¬ 
namic  Host  Configuration  Protocol,  Address  Resolution  Protocol  and 
even  plain-vanilla  IP  traffic. 

All  switches  support  DHCP  snooping  (D-Link  calls  this  “DHCP  server 
dynamic  binding”),  which  sets  up  a  binding  between  an  authorized 
DHCP  server’s  IP  and  MAC  addresses.  This  helps  prevent  clients  from 
receiving  bogus  addresses  from  a  rogue  DHCP  server. 

The  Cisco  and  Foundry  switches  support  IP  source  guard,  which  is 
conceptually  similar  to  DHCP  snooping.  The  switch  blocks  all  traffic 
until  i.t  sees  a  valid  DHCP  conversation,  then  it  will  allow  traffic  only 
from  that  IP-MAC  binding.  This  helps  prevent  some  man-in-the-middle 
attacks  in  which  an  intruder  spoofs  a  source  IP  address. 

The  Cisco,  Extreme,  Foundry  and  HP  switches  also  support  “dynamic 
ARP  inspection,”  which  will  drop  any  packet  with  previously  unseen  IP- 
MAC  bindings.  This  is  useful  in  preventing  some  man-in-the-middle 
attacks,  in  which  an  attacker  poses  as  a  previously  seen  station  and  redi¬ 
rects  traffic  through  a  different  switch  port  using  a  new  MAC  address. 

Usability 

Any  assessment  of  switch  usability  is  subjective.  While  there  are  some 
objective  measures  that  can  be  applied  (for  example,  it  might  take  17 
steps  to  enable  SSH  on  one  switch  and  five  on  another), usability  assess¬ 
ments  ultimately  come  down  to  what’s  most  comfortable  for  the  user. 

For  most  of  the  industry  “comfort”  means  a  command-line  interface 
(CLI)  that  is  or  closely  resembles  Cisco  IOS.  It  hasn’t  escaped  the  attention 
of  Cisco  competitors  that  more  network  engineers  are  trained  in  IOS  than 
any  other  CLI.  In  this  test,  the  Dell,  Foundry  and  HP  CLls  were  very  IOS- 
like.HP’s  was  probably  the  closest,  with  Foundry’s  close  behind  (although 
they  use  different  syntaxes  for  referring  to  physical  and  virtual  inter¬ 
faces). The  Dell  CLI  was  inconsistent  in  a  few  places.  For  example,  some 
commands  refer  to  an  interface  with  an  Ethernet  prefix  and  others  don’t. 

The  Alcatel-Lucent,  D-Link  and  Extreme  switches  use  homegrown  CLls. 

See  Switches,  page  42 
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ALTERNATIVE  THINKING  ABOUT  VIRTUAL  STORAGE: 


Up 


A  powerful  business  innovation  in  data  storage  is  now  within  your 
reach.  The  new  HP  StorageWorks  4400  Enterprise  Virtual  Array  is  here. 

It  virtualizes  up  to  96TB  of  storage— across  numerous  storage  servers  and 
platforms— simplifying  storage  management  and  speeding  access.  Less 
limitations.  More  freedom.  Technology  for  better  business  outcomes. 


to  96TB  virtual  storage  capacity. 
•  Enterprise-class  performance 


mm 


Over  30%  better  capacity  utilization* 
Up  to  75%  less  time  needed  to 
configure  and  manage* 

Easy  application  integration 


Wimm 


Now's  the  time  for  virtual  storage. 
Visit  hp.com/go/virtualstorage9 
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Perhaps  it’s  our  greater  familiarity  with  it,  but  we  found  Extreme’s  XOS  CLI 
by  far  the  easiest  of  these  to  learn  and  navigate.lt  also  offers  some  useful 
monitoring  features  we  didn’t  see  in  other  switches,  such  as  the  ability  to 
monitor  port  statistics,  even  across  multiple  ports,  in  real  time. 

The  CLI  in  Alcatel-Lucent’s  OmniSwitch  saves  configurations  twice,  in 
“working”  and  “certified”  directories.  This  feature  can  be  very  useful  in 
testing  new  configurations,  because  it  lets  network  managers  roll  back 
to  a  known  good  configuration  in  case  of  error. 

One  aspect  of  the  OmniSwitch  CLI  we  didn’t  like:  Unlike  all  other 
switches  tested,  it  can’t  execute  the  shortest  unambiguous  version  of  a 
command.  For  example,  while  most  switches  will  understand  that  “sh 
run”  is  an  abbreviation  for  “show  running-configuration,”  the 
OmniSwitch  instead  must  receive  the  longhand  version  of  “show  con¬ 
figuration  active.”  The  fact  that  the  OmniSwitch  has  tab  completion  for 
commands  is  only  partial  compensation;  switch  configuration  would 
run  faster  if  the  CLI  accepted  abbreviated  commands,  like  all  others. 

The  D-Link  DGS-3650’s  CLI  configuration  syntax  is  verbose, sometimes 
too  much  so.  As  with  many  other  CLls,  typing  the  tab  key  will  display 
options  for  completing  a  command.  Unlike  all  others,  the  switch  places 
a  full  string  on  the  command  line, which  the  user  has  to  erase. For  exam¬ 
ple,  typing  “config  vlan  <tab>”  places  the  string  “config  tab  <vlan_name 
32>”on  the  command  line, and  the  user  must  delete  “<vlan_name  32>” 
before  continuing.  While  it’s  useful  to  know  a  VLAN  name  can  be  32 
characters  long,  the  need  to  erase  strings  got  tiresome  after  a  while. 

We  also  did  a  quick  review  of  vendors’  documentation.  While  all  doc¬ 
umentation  adequately  described  the  commands  available  on  each 
switch,  they  differed  in  explaining  the  basic  technology  behind  each 
command,  and  why  users  would  want  to  use  (or  not  use)  that  technol¬ 
ogy  Dell’s  and  D-Link’s  documentation  included  relatively  little  tech¬ 
nology  background.  Of  the  others,  we  considered  the  Cisco,  Extreme 
and  Foundry  documentation  to  offer  the  most  complete  technology 
tutorials.  HP’s  documentation  also  is  first-rate  but  doesn’t  cover  as  many 
features  as  some  of  the  other  switches,  especially  for  IP  multicast. 

One  usability  area  we  did  not  assess  was  the  Web-based  management 
of  each  system. We  freely  admit  a  bias  for  the  CLl.While  we’re  sure  there 
are  plenty  of  fans  of  graphical  management,  we’re  not  among  them. 

Switch  features 

While  this  test’s  key  takeaway  may  be  the  big  differences  in  new  fea¬ 
tures,  the  good  news  is  that,  with  a  very  few  exceptions,  all  switches  sup¬ 
port  the  same  basic  Layer  2/Layer  3  functions.  They’re  all  1U  systems 
with  48  10/ 100/ 1000Mbps  ports  and  at  least  two  10  Gig  Ethernet  uplinks 
(except  Foundry’s  Fastlron  X448,  which  is  1.5U  high).They  all  offer  basic 
Layer  2  and  Layer  3  IPv4  forwarding  features, and  full  support  for  VLANs, 
802. 3ad  link  aggregation  and  Layer  2  and  Layer  3  QoS  controls.  All  even 
re-mark  diff-serv  codepoints  (DSCP),  a  best  practice  when  classifying 
traffic  for  QoS  treatment.  (It’s  not  a  good  idea  to  trust  incoming  DSCPs.) 

Differences  start  to  appear  beyond  these  basics.  For  example, 
Foundry’s  Fastlron  X448  is  the  only  one  not  stackable  (Foundry  has 
other  stackable  products  but  supplied  the  X448  for  this  project).  MAC 
address  capacity  ranges  from  8,192  for  Dell’s  PowerConnect  6248  to 
more  than  64,000  on  HP’s  ProCurve.  And  the  Alcatel-Lucent  and  D-Link 
switches  were  the  only  two  not  yet  supporting  the  IEEE’s  802. 1AB  Link 
Layer  Discovery  Protocol  (LLDP),  a  relatively  new  standard  describing 
how  link  partners  can  exchange  capabilities  information. 

Power  over  Ethernet  (FoE),  often  used  at  the  edges  of  enterprise  net¬ 
works  to  drive  IP  phones  and  WLAN  access  points,  is  another  differen¬ 
tiator.  Every  vendor  in  this  test  sells  PoE-capable  switches,  but  only  Cisco, 
Dell,  Extreme,  Foundry  and  HP  supplied  PoE  gear.  The  Cisco  Catalyst 
3750E  is  the  only  device  tested  capable  of  delivering  power  to  all  48 
downlink  ports  simultaneously.  The  others  require  an  external  power 
supply  to  do  so.  (We  didn’t  measure  PoE  power  consumption;  these  fig¬ 
ures  are  from  the  vendors’  responses  to  our  features  questionnaire.) 

IPv6  support  also  varies  widely.  For  most  enterprises,  spotty  IPv6  sup¬ 
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port  may  not  matter  —  at  least  not  today.  But  there’s  a  strong  and  grow¬ 
ing  probability  that  IPv6  will  matter  before  switches  end  their  depreci¬ 
ation  cycles  in  three  to  five  years.  Even  for  enterprises  with  no  IPv6  now 
in  place,  it’s  still  very  much  worth  considering. 

Any  switch  configured  in  Layer  2  mode  can  forward  IPv6  packets 
because  it  doesn’t  know  or  care  about  Layer  3  headers. When  configured 
as  Layer  3  forwarding  mode,  all  switches  tested  except  HP’s  ProCurve 
move  IPv6  packets  between  subnets  (at  least  in  the  version  we  tested;  HP 
says  current  13.x  releases  do  support  IPv6  but  we  didn’t  verify  that). 

That’s  not  the  end  of  the  IPv6  story  though.  It’s  important  to  distinguish 
between  forwarding  (moving  packets  between  subnets  using  direct  or 
static  routes)  and  routing  (running  a  routing  protocol  to  learn  dynami¬ 
cally  where  to  send  packets). The  D-Link,  Extreme  and  HP  switches  do 
not  support  the  major  enterprise  IPv6  routing  protocols,  Open  Shortest 
Path  First  Version  3  and  RIP  next  generation.  And,  as  noted,  there  are 
major  differences  in  switch  management  methods  over  IPv6. 

As  for  multicast  over  IPv6,  the  Dell  and  HP  switches  don’t  support 
either  version  of  multicast  listener  discovery  IPv6’s  functional  equiva¬ 
lent  of  Internet  group  management  protocol  in  IPv4.  D-Link’s  DGS-3650 
supports  Multicast  Listener  Discovery  Versions  1  and  2. 

Power  consumption 

With  large  data  centers’ electric  bills  topping  $1  million  a  month,  power 
consumption  is  a  major  concern. Using  Fluke  clamp  meters, we  measured 
each  switch’s  power  draw  when  idle  and  again  when  its  control  and  data 
planes  were  fully  loaded.  (See  “Tracking  power  consumption:  How  low 
can  the  switch  go?”  at  wwwnwdocfinder.com/4125.) 

The  results  show  a  roughly  threefold  difference  between  the  most 
miserly  and  power-hungry  device,  but  most  switches  used  similar 
amounts  of  power,  drawing  anywhere  between  128  and  154  watts  when 
fully  loaded.  Alcatel-Lucent’s  OmniSwitch  6850  wins  bragging  rights  for 
the  most  efficient  device  when  idle, using  just  79  watts.  Extreme’s  Summit 
X450  was  the  most  efficient  when  fully  loaded,  requiring  128  watts. 

Foundry’s  Fastlron  X448  was  an  exception.  It  uses  255  watts  when  idle 
and  316  watts  fully  loaded,  more  than  double  that  of  other  switches.  At 
1.5  rack  units,  it’s  also  slightly  larger  than  all  other  switches,  which  take 
up  one  rack  unit  apiece. 

Wrapping  up 

There  are  plenty  of  differences  among  switches,  especially  when  it 
comes  to  newer  features.  Just  because  basic  functions  long  ago  entered 
commodity  status  doesn’t  mean  the  switch  wars  are  settled.  As  our  test 
results  show,  new  additions  such  as  multicast,  802.  IX  and  security  are 
making  access  switching  interesting  all  over  again. 

Newman  is  president  of  Network  Test,  an  independent  test  lab  in  West- 
lake  Village ,  Calif.  He  can  be  reached  at  dnewman@networktest.com.  Fel¬ 
low  Lab  Alliance  member  Rodney  Thayer  contributed  to  this  testing. 
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Need  More  Control? 
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288-port  Physical  Layer  Switch. 
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•  Provide  Remote  Topology  Control  =  Save  Time 
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288-port  physical  layer  switch 
at  www.curtisswrightswitch.com 
or  call  Matt  Young  at  (800)  252-5601  xl  363 
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SixNet  Consulting  Group  wants  to  help 
you  help  yourself!  We  offer  Network  Con¬ 
figuration  Guides,  which  will  show  you 
step-by-step  how  to  design  and  imple¬ 
ment  various  technologies.  These  guides 
are  a  must-have  for  any  network  engineer. 
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•  Stream  into  two  different  devices 

•  Rack  mount  up  to  three  across 
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Learn  more.  Visit  www.networkTAPs.com. 
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Networx 

continued  from  page  11 

it’s  unfortunate  for  the  folks  with  Networx 
Enterprise  contracts  only  There’s  not  much  dif¬ 
ference  between  those  two  contracts.  Every 
product  and  service  that  the  three  Universal 
bidders  bid,  they  also  put  on  Enterprise. 
Universal  has  more  features,  functions  and 
more  geographic  ubiquity" 

Sprint's  fate 

One  trend  to  watch  is  what  happens  to 
Sprint’s  federal  customers.  Sprint  was  an 
incumbent  on  the  two  previous  federal 
umbrella  telecom  programs  —  FTS  2000  and 
FTS  2001  —  but  lost  out  on  Networx  Universal, 
where  about  80%  of  federal  agencies  are  mak¬ 
ing  their  selections.  Sprint  later  won  a  Networx 
Enterprise  contract. 

Sprint,  for  example,  used  to  provide  voice 
services  to  Customs,  which  chose  Networx 
Universal  contractor  AT&T  as  its  primary  voice 


provider  and  Qwest  as  its  secondary  or  diver¬ 
sity  voice  provider.  The  Energy  Department 
used  Sprint  to  run  a  small  data  network,  but  it 
has  chosen  to  go  with  Networx  Universal 
instead. 

The  Labor  Department,  on  the  other  hand,  is 
a  big  Sprint  customer,  and  it  is  giving  Sprint  a 
chance  to  keep  its  voice  and  data  services  by 
transitioning  to  Networx  Enterprise.  The 
Department  of  Veterans  Affairs  is  another 
Sprint  customer,  but  it  hasn’t  announced 
whether  it  will  transition  to  Networx  Universal 
or  Networx  Enterprise. 

“There’s  a  perception  issue  with  regard  to 
Universal  vs.  Enterprise,"  says  Bill  White,  acting 
vice  president  of  federal  sales  with  Sprint. 
“Enterprise  was  supposed  to  be  more  niche  or 
regional,  when  in  reality  the  footprint  of  ser¬ 
vices  that  can  be  provided  matches  identical¬ 
ly  with  the  Universal  contract.  All  of  the  loca¬ 
tions  in  the  U.S.  and  Guam  can  be  covered 
with  Enterprise  or  Universal,  but  there’s  a  gap 
in  understanding  of  that." 


The  carrier  with  the  most  to  gain  on  Networx 
is  Level  3,  which  has  no  legacy  business  in  the 
U.S.  federal  market. 

“We’ve  passed  our  [certification]  for 
Networx  Enterprise,  we  have  our  official  let¬ 
ter,  and  we’re  ready  to  take  orders.  For  us, 
that’s  just  been  a  Herculean  effort,"  says 
Edward  Morche,  general  manager  for  Level 
3’s  federal  markets  group.  “We’re  seeing  an 
increased  level  of  interest  in  agencies  find¬ 
ing  out  who  we  are." 

Morche  says  Level  3  is  positioning  itself  as  an 
all-IP  network  provider  that  can  provide 
resilience  and  diversity  to  agencies  that  are 
focused  on  disaster  recovery 

“The  majority  of  agencies  are  going  with 
Universal. That’s  easier  for  agencies  because 
it’s  a  like-for-like  transition  from  FTS  2001," 
Morche  says.  “We’re  trying  to  tell  agencies 
that  we’re  not  a  [local  exchange  carrier]. 
We’re  not  going  to  offer  2,000  discrete  ser¬ 
vices.  We’re  very  focused  on  offering  the  ser¬ 
vices  that  we  do  well.”B 


Novell 

continued  from  page  18 

ment,  security  middleware  and  application 
servers.  At  each  level,  Novell  has  a  competitive 
and  complementary  strategy 

“We  are  not  going  to  replace  system  manage¬ 
ment  frameworks,  but  we  solve  a  unique  set  of 
problems  that  are  new  because  of  the  evolu¬ 
tion  of  consolidation,  virtualization  and  opti¬ 
mization.  We  can  build  on  top  of  those  frame¬ 
works,  and  that  is  where  Novell  gets  a  legiti¬ 
mate  shot,”  Hovsepian  says. 

He  says  the  stack  can  be  built  on  one  of  two 
foundations:  J2EE  or  .Net. 

“Let’s  be  realistic  —  1  want  you  to  pick  the 
J2EE  stack  not  the  Microsoft  stack,”  Hovsepian 
says.“But  after  you  pick  one,  I  want  to  show  that 
1  do  this  better  at  the  [operating  system]  level 
than  anyone,  that  I  have  the  best  desktop-to- 
data-center  Linux  story  and  1  work  with 
Windows.That  is  the  subtlety  that  is  very  impor¬ 
tant  for  us.” 

Hovsepian  is  pumped  up  to  take  his  shot 
against  anyone,  but  Novell  is  not  without  its 
challenges,  including  Red  Hat,  which  owns 
nearly  80%  of  the  Linux  market. 

Observers  say  that  his  strategic  tactics,  how¬ 
ever,  are  a  pragmatic  evaluation  of  Novell’s 
future  opportunities. 

“It’s  smart  for  Novell  to  define  the  way  they 
want  to  compete  and  to  create  an  image  of 
how  they  want  to  be  positioned,  and  not  fall 
into  the  trap  of  letting  others  put  them  in  a 
box,”  says  Gerry  Gebel,  an  analyst  with  the 
Burton  Group. 

Novell  is  using  acquisitions  to  help  refine 
that  positioning,  including  its  February  pur¬ 
chase  of  SiteScape  and  its  ICEcore  collabo¬ 
ration  tools,  a  Web-based  team  workspace 
and  real-time  conferencing  platform  that 
includes  Web  2.0  and  social-networking 
technologies. 


Those  qualities  were  missing  from  a  collabo¬ 
ration  portfolio  that  included  just  GroupWise, 
an  aging  messaging  platform  Novell  has 
spruced  up  over  the  years  with  such  features  as 
instant  messaging. 

Novell,  which  will  sell  the  SiteScape  technol¬ 
ogy  in  an  OEM  capacity  before  buying  the 
company  turned  the  technology  into  its  Team¬ 
ing  +  Conferencing  platform  but  continues  to 
support  the  open  source  ICEcore  project. 

That  project  encourages  contributors  to 
build  Web  2.0  and  social-networking  tools 
for  the  platform,  in  much  the  same  way 
Microsoft  is  encouraging  developers  to 
build  those  add-ons  for  SharePoint  and 
IBM/Lotus  is  doing  with  Quickr. 

Novell  plans  to  continue  to  tap  acquisitions, 
such  as  SiteScape  and  the  recent  $205  million 
purchase  of  PlateSpin,to  fill  out  its  product  line 
and  meet  its  strategic  goals. 

“You  are  going  to  see  us  use  organic  and 
inorganic,  or  acquisitions,  as  methods  to  inno¬ 
vate  and  to  position  ourselves,”  Hovsepian  says. 
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“We  don’t  need  to  go  outside  those  businesses 
because  those  markets  are  so  big.” 

As  Novell  looks  long  range,  users  are  hoping 
it  will  clear  up  some  short-term  issues  includ¬ 
ing  education, certifications  and  desktop  appli¬ 
cation  support. 

“When  it  comes  to  hiring  people,  it  is  a  chal¬ 
lenge  for  us,”  says  Tom  Johnson,  director  of  IT 
of  Chicago-based  Metropolitan  Bank  Group. 
“Novell  could  help  by  expanding  its  [Certified 
Linux  Engineer]  program,  their  certifications 
and  getting  people  more  educated.” 

Baldor  Electric’s  Shackelford  said  indepen¬ 
dent-software-vendor  support  is  getting  better 
but  needs  improvement  if  Novell  really  wants 
Linux  to  find  a  place  on  the  desktop. 

If  Hovsepian  has  his  way,  the  short-term 
issues  will  get  solved  within  the  success  of 
his  overall  plan. 

Even  though  Novell  has  defined  its  goals, 
however,  it  still  faces  the  nemesis  lingering 
from  its  closing  days  as  a  big-time  technology 
provider  —  execution.  ■ 
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Reviewing  your 

My  column  of  a  few  weeks  ago, “My  top 
eight  IT  hates”  (www.nwdocfinder.com 
/4 152),  garnered  quite  a  few  responses. 
Reader  Antonio  San  Marco  responded  about 
my  hatred  of  undated  Web  content,  saying  he 
was  with  me  100%. 

But  reader  Kevin  Pieper  disagreed.Tve  writ¬ 
ten  articles  and  guides  online  for  topics  that 
will  not  change.  Some  of  them  go  back  to  2002, 
and  the  information  is  as  current  in  2008  as  it  was  then  —  the  topic  is 
not  going  to  change,  period. Yet  not  one  week  goes  by  that  some 
moron  doesn’t  e-mail  me  —  without  even  reading  the  article  —  ask¬ 
ing  if  it’s  still  accurate?  I’ve  started  to  remove  the  dates  on  everything 
but  timely  content.  People  are  too  stupid  to  handle  dates.” 

I’m  afraid  this  is  a  consequence  of  making  anything  written  public 
and  making  it  possible  for  people  to  respond.  If  they  do  respond,  are 
you  obliged  to  answer?  That’s  up  to  you.  Speaking  for  myself,  if  you 
write  me  I  feel  obligated  to  reply  if  I  have  time  (which  is  usually  but 
not  always  the  case)  and  as  long  as  you  are  being  at  least  moderately 
polite  and  appear  to  be  rational. 

Regarding  my  hatred  of  WinRot,  Pieper  suggested  that, “To  even  say 
‘WinRot’  is  to  live  in  the  Mac/Linux  land  of  lollipops  and  ice  cream. 
Well,  no  OS  is  perfect. The  more  you  add/install/customize/alter,  the 
more  chances  of  system  breakdown  occur’’ He  has  a  point,  but  I  con¬ 
tend  that  Windows  OSrot  is  far  worse,  far  more  common  and  harder  to 
resolve  than  with  any  other  operating  system. 

In  my  corner  on  the  WinRot  issue  was  reader  Tyler  Regas  who 
wrote: “If  it  helps,  I  agree  that  there  is  such  a  thing  as  WinRot.  I 


Mark  Gibbs 


top  IT  hates 

have  come  directly  up  against  it  many  times.  It’s  real  and  it’s  dan¬ 
gerous.  I  got  your  back.” 

Reader  Darron  suggested  another  hatred: “Lack  of  authority  to 
enforce  IT  rules.The  managers/directors/vice  presidents  who  are 
beyond  reach  of  IT  rule  enforcement  are  often  some  of  the  worst 
wasters  (bandwidth,  toner,  manpower)  in  any  company  and  they’re 
typically  the  first  ones  to  bring  in  viruses  and  Trojans.”  I’m  betting  that’s 
going  to  be  something  a  lot  of  IT  people  will  agree  on. 

Reader  Chip  Orr  offered  this  hate:“The  progress  meter  that  blatantly 
lies.  I’ve  recently  installed  ArcGIS  for  a  few  of  my  users  and  each  time 
the  installer  gets  down  to  ‘30  seconds  remaining’  it  stays  there  for  10  or 
20  minutes.”  And  couple  that  with  “the  endless  parade  of  installation 
steps.You  watch  the  progress  bar  creep  towards  completion,  and  just 
when  you  think  you’re  done,  it  starts  over  at  zero.  How  many  more  iter¬ 
ations  are  left?  1?  100?  There’s  no  way  to  know!” 

Orr  then  got  on  a  roll:“I  don’t  expect  an  installer  to  tell  me  to  the 
second  when  it  will  be  done,  but  it  would  be  nice  if  it  would  give  rea¬ 
sonably  accurate  time  frames,  like  ‘you  have  time  to  get  a  cup  of  cof¬ 
fee’,  or ‘you  can  backpack  through  Europe  for  a  month’.  On  the  other 
hand,  maybe  I  should  count  my  blessings  that  these  counters  aren’t 
like  the  cable  guy  or  the  plumber  —  ‘your  software  will  be  installed 
sometime  between  8  a.m.and  2  p.m.’” 

Finally,  reader  JWM  had  a  list  of  10  hatreds  that  all  read, “The  way 

Microsoft _ ”  and  he  suggested  that  I  could  fill  in  the 

blanks. 

Gibbs  is  keeping  his  hatreds  bottled  up  in  Ventura,  Calif.  Uncork  yours 
to  backspin@gibbs.com. 


No  PR  purge  here,  says  security  vendor 
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ow  you  see  them,  now  you  don’t . . .  now 
you  do?  Such  was  the  fate  last  week  of 
online  press  releases  and  testimonials 
touting  Hannaford’s  use  of  Rapid7’s  flagship 
risk-management  product.The  relationship 
between  the  companies  had  become  notable 
after  news  of  the  beleaguered  grocer’s  data 
breach  made  major  headlines. 

The  erasure  of  Hannaford  from  Rapid7’s  site 
was  especially  curious  because  Rapid7  was 
contending  that  Hannaford  has  cleared  its 
product  of  any  culpability  in  the  breach.  (Hannaford  didn’t  return  my 
calls.)  Moreover,  Rapid7  couldn’t  seem  to  settle  on  a  single  explana¬ 
tion  —  even  with  the  CEO  giving  it  his  best  shot  —  for  what  the  com¬ 
pany  insisted  was  not  an  aborted  PR  purge. 

Hannaford  had  long  been  a  poster  child  for  Rapid7’s  product, 
NeXpose.with  numerous  mentions  on  its  site,  all  of  which  (save  one) 
had  gone  missing  as  of  last  Tuesday.  On  Wednesday  morning,  a  com¬ 
pany  spokesman  told  me  the  Hannaford  deletions  were  in  response 
to  a  direct  request  from  the  grocery  chain. 

A  few  hours  later,  as  though  by  magic,  all  the  Hannaford  stuff  reap¬ 
peared  on  the  Rapid7  site  . .  .and  the  fun  really  began. 

On  my  second  call,  I  got  a  different  Rapid7  marketing  guy  who  told 
a  completely  different  story.  He  said  the  Hannaford  materials  were 
taken  off  the  Web  site  in  response  to  a  massive  traffic  spike  that  had 
hampered  customer  downloads. 

Sounded  unlikely,  so  I  tried  CEO  Alan  Matthews,  who  said  the  deci¬ 
sion  to  remove  the  Hannaford  materials  from  his  company’s  Web  site 
was  made  in  tandem  by  his  marketing  and  network  people  after  news 
of  the  Hannaford  data  breach  hit  the  fan.  So  far,  so  good.  Less  clear 
was  why  they  did  it,  and  Matthews  was  of  limited  help  in  explaining 
the  various  discrepancies. 

Regarding  Explanation  No.  1,  namely  that  Hannaford  requested  the 
materials  be  taken  down,  he  said:“There  may  have  been  a  discussion 


about  it  (between  his  people  and  Hannaford),  but  I’m  not  sure  who 
actually  suggested  it  or  requested  it.  We  may  have  suggested  that  we’d 
done  it  already  and  they  may  have  said  that’s  fine.” 

The  first  Rapid7  spokesman  had  been  unequivocal  in  saying  that 
Hannaford  requested  the  purge. 

Regarding  Explanation  No.  2,  namely  that  traffic  spike,  Matthews 
said:  “When  the  Hannaford  breach  was  announced,  the  person 
who  normally  administers  our  Web  site  thought, ‘OK,  we  should 
take  the  press  release  down,’  and  he  took  it  down.  Because  the 
page  went  404,  he  decided  that  he  would  take  all  Hannaford  stuff 
down. There  was  a  lot  of  network  traffic,  although  I  think  (the  per¬ 
son  who  gave  me  Explanation  No.  2)  was  kind  of  just  making  that 
up  as  to  what  happened.” 

Indeed,  that  guy  had  admitted  to  a  shaky  grasp  of  the  facts. 

Regarding  why  the  Hannaford  materials  suddenly  reappeared, 
Matthews  said:“When  I  got  involved  yesterday  afternoon  I  said, ‘Well, 
there’s  no  reason  to  do  this;  no  one  has  actually  asked  us  to  do  this. 
We  should  just  put  it  back  up  the  way  it  was.’” 

Everyone  clear  now? 

As  for  that  lone  mention  of  Hannaford  remaining  on  the  post-purge 
Rapid7  site.it  was  prominently  positioned  at  the  top  of  the  company’s 
press  page  and  informed  reporters  who  might  arrive  there  that 
Hannaford  had  renewed  its  contract  with  Rapid7  after  the  breach  was 
discovered.  Rapid7  says  that  renewal  demonstrates  the  customer’s 
continuing  confidence  in  the  product. 

But  is  Rapid7  concerned  that  despite  Hannaford’s  newly  inked  con¬ 
tract,  despite  its  reported  exoneration  and  because  of  the  temporary 
airbrushing  of  Rapid7’s  Web  site,  some  may  still  associate  NeXpose 
with  this  mega-breach? 

“The  worry  might  be  that  people  will  get  the  wrong  impression,” 
Rapid7  spokesman  No.  1  told  me. 

Episodes  of  this  nature  do  tend  to  create  impressions  —  rarely  good. 

Once  your  story  is  straight,  e-mail  it  to  buzz@nww.com. 
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